The North Korean threat actor known as Kimsuki has been linked to a series of phishing attacks that involve sending emails originating from Russian sender addresses to ultimately carry out credential theft.
“Until early September, phishing emails were sent mainly through email services in Japan and Korea,” South Korean cybersecurity company Genians said. “Then, starting in mid-September, some phishing emails disguised as if they were sent from Russia were seen.”
This entails the abuse of the VK Mail.ru e-mail service, which supports five different alias domains, including mail.ru, internet.ru, bk.ru, inbox.ru and list.ru.
Genians said it observed Kimsuky actors using all of the above sender domains for phishing campaigns impersonating financial institutions and online portals such as Naver.
Other phishing attacks have involved sending messages impersonating Naver’s MYBOX cloud storage service and aiming to trick users into clicking links, giving them a false sense of urgency that their accounts have been found to contain malicious files and need to be deleted.
Variants of MYBOX-themed phishing emails have been recorded since late April 2024, with the first waves using Japanese, South Korean, and American domains as sender addresses.
Although these messages were allegedly sent from domains such as “mmbox(.)ru” and “ncloud(.)ru”, further analysis revealed that the attacker used a compromised email server belonging to Evangelical University ( evangelia(.)edu). to send messages using the PHP-based Star mail service.
It should be noted that Kimsuky’s use of legitimate email tools such as PHPMailer and Zorka was previously documented by enterprise security firm Proofpoint in November 2021.
The ultimate goal of these attacks, according to Genians, is to steal credentials, which can then be used to hijack victims’ accounts and use them to carry out subsequent attacks on other employees or acquaintances.
For years, Kimsuki has proved to be adept in conducting email-targeted social engineering campaigns, using techniques to spoof email senders to appear as if they belong to trusted individuals, thereby evading security checks.
Earlier this year, the US government called out the cyber actor for exploiting “misconfigured domain-based DNS Authentication, Reporting, and Conformance (DMARC) recording policy to conceal social engineering attempts.”
