lazarusholic

Everyday is lazarus.dayβ

From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering

2024-04-16, Proofpoint
https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering
#DMARC #TA427

Contents

Key takeaways
- TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime.
- In addition to using specially crafted lure content, TA427 heavily leverages think tank and non-governmental organization-related personas to legitimize its emails and increase the chances that targets will engage with the threat actor.
- To craftily pose as its chosen personas, TA427 uses a few tactics including DMARC abuse in concert with free email addresses, typosquatting, and private email account spoofing.
- TA427 has also incorporated web beacons for initial reconnaissance of its targets, establishing basic information like that the email account is active.
Overview
Proofpoint researchers track numerous state-sponsored and state-aligned threat actors. TA427 (also known as Emerald Sleet, APT43, THALLIUM or Kimsuky), a Democratic People’s Republic of Korea (DPRK or North Korea) aligned group working in support of the Reconnaissance General Bureau, …

IoC

http://stimson.shop
http://stimsonn.org
http://wilsoncenters.org