The threat actor associated with North Korea is known as Kimsuki has been linked to a new set of attacks targeting university staff, researchers and teachers for intelligence gathering purposes.
Cybersecurity firm Resilience said it discovered the activity in late July 2024 after noticing an operation security (OPSEC) error made by hackers.
Kimsuky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail and Velvet Chollima, is just one of many offensive cyber groups operating under the direction of the North Korean government and military.
It is also very active, often using phishing campaigns as a starting point to provide an ever-expanding set of user tools to conduct reconnaissance, steal data, and establish permanent remote access to infected nodes.
The attacks are also characterized by the use of compromised hosts as an intermediate infrastructure to deploy an obfuscated version of the Green Dinosaur web shell, which is then used to perform file operations. The use of Kimuksy web shell was highlighted earlier by blackorbird security researcher in May 2024.
The access provided by Green Dinosaur is then used to upload pre-made phishing pages that mimic legitimate login portals for Naver and various universities such as Dongduk University, Korea University, and Yonsei University in order to capture their credentials.
Victims are then redirected to another site that points to a PDF document hosted on Google Drive that purports to be an invitation to the Asan Institute for Policy Studies’ August forum.
“In addition, Kimsuky phishing sites have an untargeted set of tools to harvest Naver accounts,” Resilience researchers said.
“This toolkit is a rudimentary Evilginx-like proxy to steal visitors’ cookies and credentials and displays pop-ups telling users they need to log in again because communication with the server has been broken.”
The analysis also shed light on custom PHPMailer The SendMail tool used by Kimsuky is used to send phishing emails to targets using Gmail and Daum Mail accounts.
To combat the threat, it is recommended that users enable phishing-resistant multi-factor authentication (MFA) and carefully check URLs before signing in.
