DPRK-NEXUS ADVERSARY TARGETS SOUTH-KOREAN INDIVIDUALS IN A NEW CHAPTER OF KITTY PHISHING OPERATION
Contents
By
Cluster25 Threat Intel Team
April 11, 2022
The research team at Cluster25 traced a recent activity that started in the first days of April 2022 from a DPRK-nexus threat actor using spear-phishing emails containing korean-based malicious documents with different lures (like the example below) to compromise its victims.
The lures used in the malicious Word documents of this campaign are very different from each other. They vary from the impersonation of the Korea Internet Information Center (KRNIC) to the impersonation of various south-korean Internet Security firms (e.g., AhnLab, Menlo Security, SaniTOX) or Cryptocurrency firms (e.g., Binance).
The target of this campaign seems generic and aimed to steal data from the south-korean individuals. In most of identified infections, indeed, the victims were users having a mail registered on naver dot com, a South Korean web platform that includes free email boxes, news, and search engine functionality. Cluster25 attributed this campaign to a DPRK-nexus adversary as …
Cluster25 Threat Intel Team
April 11, 2022
The research team at Cluster25 traced a recent activity that started in the first days of April 2022 from a DPRK-nexus threat actor using spear-phishing emails containing korean-based malicious documents with different lures (like the example below) to compromise its victims.
The lures used in the malicious Word documents of this campaign are very different from each other. They vary from the impersonation of the Korea Internet Information Center (KRNIC) to the impersonation of various south-korean Internet Security firms (e.g., AhnLab, Menlo Security, SaniTOX) or Cryptocurrency firms (e.g., Binance).
The target of this campaign seems generic and aimed to steal data from the south-korean individuals. In most of identified infections, indeed, the victims were users having a mail registered on naver dot com, a South Korean web platform that includes free email boxes, news, and search engine functionality. Cluster25 attributed this campaign to a DPRK-nexus adversary as …
IoC
042ce8c91c6bc7eeb32e0df4ca95f49d2ae3c372e2dbfd380a78da042d8dd057
06d29b5f1611303a792bb335ecafdd228cf0a1ffd55629f8cc1b9ce25d7fb378
1fdbe1fa3e070b2b663a5acca5a163d2039ac56c2556e7718c991785d5188c68
1ff3d779c207ca18a55208471b7627e15221b29cd5547a1b1f686aaa903d0f3e
2c491a12efee90bd6c76b40ba7b5efb5ccb3ef467a4034f8ebe71e356d36cc85
2fc71184be22ed1b504b75d7bde6e46caac0bf63a913e7a74c3b65157f9bf1df
3061132272975b4f7552eedd5184bc7ecd0d3fc7fcdf6fbfe81aa8ac06a10b11
3235026de503a1ed2834b634a978ff655486c89787a66aac2f8917d9936c4342
33b6d6f52125a046d22f4198a56838ae2b5dbe400dd246f812b4f093ba9eb75a
352d1850f2f6030fa4481728df2575448e88f28169b2f3702465d32b0e61476b
392aba0070375051d7bc3cc478c4bb66c5f55be87ad797800f50a338c3e2479b
409ccb43d482d86d75e50c89ac91dcd2845f75933df99db5efe7673367c91774
4292984d29374760d2bd62ce665da645ca177e600e61133a4df1f6ca78e74611
4479c7842388f93cf2cbc4ba76ed2452a6521bd00e3a9c36375f9bf3fc83e7b2
4e9ba92b357dcfa79f64f2ca829d31935b5a93059022414ca894a070b625da66
6a948792761e207f7e7fe7f3687d02113695304ade00d156ae80a44e5bc5d88b
6c83a251c4df74a432b6fc37273a214cbd67466e7e3795ff819db8bb76672007
6ed3447bb9fcb5abfe78a628ebcd1a0987c75b18eac5673a3a90a4bbe745b527
76a87057cb72139ed2a2c6776949aabd15134ba887b05bf1e56d46f3e97cda87
7cea095f281e0a09b27c3c101e9898a5ee4bff89edc4ec4eb83bf363f9f7c472
7ed9edd2dd310b0db4d327475e5d2a06be05b43bffe5a61fa202362f7b8e379f
94fb3a34ecbde3435934f4cb44d86ff8ea37fda32b2b2ee17881c65654d91e8d
96754f46e1ce19a337c3a4368e63ad1135405b383f3d3bd77beefe20926cf89d
a38628b4fe521655d88e4fe5a9cc074fa4d326a54be8aca6c489a5900d9a95ed
a7976205ce8a0e1859df40eb6479fe90cd479644862cdcc8ad99082be0f1d5a1
a7c17e5fa55bcc60d4cff64dd37d0a1f0cc93f4f44b3cebd5633ca5af413e5cc
ab01143169a142b246441b778b7865532ec88fd37e19f690efd00ee5302f0683
ae7275988753fffb29bdb254babdf46773daf935b2721006fe66a1747af3d1d4
af93284efb7a0599ff14ceed762bbde4e3a01d53802707d3cb74f15ec3aa1a11
b2a3d4261b0a6845d9ee4f395261946842964591804dfa474355b8e8bd1ad00f
b8408322430bbd9c685f40733314f8b11f004ce42d947d15a93ce3222293b002
bc7d3ac47b50254420513b9eb1563cdfb0a5f61252bf89f188a8aaeca6f2a0cf
c17234de3a14deadf84c7acc614345484d10c43a72cccb748de6357b0066c48a
c4e0cb278f80e2ec8f1a2473ee7d53101db331bc9e063839ed72da887eca947b
c9f02980d38b4a79cbc9512dbee2fd591cbfd9bf9d27ae0e4c074cd55634633a
cb74f8fb9623413ab69566a3cddbba9488dc1da402b72f7a81bde0a9e8ab168b
cbd6f89dae3b013f598664bb004eeea0a45c8bf31ae2197adab1b8907b65dc12
d2b32b233489eb120c50d7f862e2d20b89c8bb89e595086f85728e69668533e0
de5cf0c1d3fdb683683e79c3b108159e13dcbd37e2dc1aa7407444708f06197d
dfb4270fb6dc92fdfd9903b4b12bf67897e86a626925f76e4336af60c14683be
e80622ee3b96bf1017463e30e672a6bb268143e84b3d7acc834c6db91725e1da
f265a04e08a79ea6a4eeacd8294b3af2e1a08ae131018dd1ca195ae900437767
f6c3dbed6f7fcfe320529937cff9d9a1150422375f7c8e0849efaf29ce910bce
f915bc0dc9536eaa4ffefe7781676cdfe656298f4f1f9b1e56aa84a88db4902d
fd5b27049dd38bd1c3951f017a0d27a0a02f8efec7f6fa3a0ed1dc442ea5571b
ff3b6894dc1b44e616bc06faeec5d0d5ae75d6619c0b89b6192602cbb5c66ffb
06d29b5f1611303a792bb335ecafdd228cf0a1ffd55629f8cc1b9ce25d7fb378
1fdbe1fa3e070b2b663a5acca5a163d2039ac56c2556e7718c991785d5188c68
1ff3d779c207ca18a55208471b7627e15221b29cd5547a1b1f686aaa903d0f3e
2c491a12efee90bd6c76b40ba7b5efb5ccb3ef467a4034f8ebe71e356d36cc85
2fc71184be22ed1b504b75d7bde6e46caac0bf63a913e7a74c3b65157f9bf1df
3061132272975b4f7552eedd5184bc7ecd0d3fc7fcdf6fbfe81aa8ac06a10b11
3235026de503a1ed2834b634a978ff655486c89787a66aac2f8917d9936c4342
33b6d6f52125a046d22f4198a56838ae2b5dbe400dd246f812b4f093ba9eb75a
352d1850f2f6030fa4481728df2575448e88f28169b2f3702465d32b0e61476b
392aba0070375051d7bc3cc478c4bb66c5f55be87ad797800f50a338c3e2479b
409ccb43d482d86d75e50c89ac91dcd2845f75933df99db5efe7673367c91774
4292984d29374760d2bd62ce665da645ca177e600e61133a4df1f6ca78e74611
4479c7842388f93cf2cbc4ba76ed2452a6521bd00e3a9c36375f9bf3fc83e7b2
4e9ba92b357dcfa79f64f2ca829d31935b5a93059022414ca894a070b625da66
6a948792761e207f7e7fe7f3687d02113695304ade00d156ae80a44e5bc5d88b
6c83a251c4df74a432b6fc37273a214cbd67466e7e3795ff819db8bb76672007
6ed3447bb9fcb5abfe78a628ebcd1a0987c75b18eac5673a3a90a4bbe745b527
76a87057cb72139ed2a2c6776949aabd15134ba887b05bf1e56d46f3e97cda87
7cea095f281e0a09b27c3c101e9898a5ee4bff89edc4ec4eb83bf363f9f7c472
7ed9edd2dd310b0db4d327475e5d2a06be05b43bffe5a61fa202362f7b8e379f
94fb3a34ecbde3435934f4cb44d86ff8ea37fda32b2b2ee17881c65654d91e8d
96754f46e1ce19a337c3a4368e63ad1135405b383f3d3bd77beefe20926cf89d
a38628b4fe521655d88e4fe5a9cc074fa4d326a54be8aca6c489a5900d9a95ed
a7976205ce8a0e1859df40eb6479fe90cd479644862cdcc8ad99082be0f1d5a1
a7c17e5fa55bcc60d4cff64dd37d0a1f0cc93f4f44b3cebd5633ca5af413e5cc
ab01143169a142b246441b778b7865532ec88fd37e19f690efd00ee5302f0683
ae7275988753fffb29bdb254babdf46773daf935b2721006fe66a1747af3d1d4
af93284efb7a0599ff14ceed762bbde4e3a01d53802707d3cb74f15ec3aa1a11
b2a3d4261b0a6845d9ee4f395261946842964591804dfa474355b8e8bd1ad00f
b8408322430bbd9c685f40733314f8b11f004ce42d947d15a93ce3222293b002
bc7d3ac47b50254420513b9eb1563cdfb0a5f61252bf89f188a8aaeca6f2a0cf
c17234de3a14deadf84c7acc614345484d10c43a72cccb748de6357b0066c48a
c4e0cb278f80e2ec8f1a2473ee7d53101db331bc9e063839ed72da887eca947b
c9f02980d38b4a79cbc9512dbee2fd591cbfd9bf9d27ae0e4c074cd55634633a
cb74f8fb9623413ab69566a3cddbba9488dc1da402b72f7a81bde0a9e8ab168b
cbd6f89dae3b013f598664bb004eeea0a45c8bf31ae2197adab1b8907b65dc12
d2b32b233489eb120c50d7f862e2d20b89c8bb89e595086f85728e69668533e0
de5cf0c1d3fdb683683e79c3b108159e13dcbd37e2dc1aa7407444708f06197d
dfb4270fb6dc92fdfd9903b4b12bf67897e86a626925f76e4336af60c14683be
e80622ee3b96bf1017463e30e672a6bb268143e84b3d7acc834c6db91725e1da
f265a04e08a79ea6a4eeacd8294b3af2e1a08ae131018dd1ca195ae900437767
f6c3dbed6f7fcfe320529937cff9d9a1150422375f7c8e0849efaf29ce910bce
f915bc0dc9536eaa4ffefe7781676cdfe656298f4f1f9b1e56aa84a88db4902d
fd5b27049dd38bd1c3951f017a0d27a0a02f8efec7f6fa3a0ed1dc442ea5571b
ff3b6894dc1b44e616bc06faeec5d0d5ae75d6619c0b89b6192602cbb5c66ffb