Kimsuky Group’s Phishing Attacks Targetting North Korea-Related Personnel
Contents
AhnLab Security Emergency response Center (ASEC) has recently discovered that the Kimsuky group had created a webmail website that looks identical to certain national policy research institutes.
Earlier this year, ASEC had covered similar issues in the posts ‘Web Page Disguised as a Kakao[1]/Naver[2] Login Page’. The previous attacker set the fake login page with autocompleted IDs of trade, media, and North Korea-related individuals and organizations. In addition to that, the recently discovered web page used a similar tactic of having the ID of the target organization’s leader autocompleted in the recently created website.
When the user attempts to login, the threat actor comes into possession of the internal webmail website account credentials. This data is deemed as useful as procuring the account information of the target user’s portal website account credentials.
Figure 1. Webmail login page created to target North Korea-related business managers
Judging from the reverse DNS data-related IP/domain addresses and relevant …
Earlier this year, ASEC had covered similar issues in the posts ‘Web Page Disguised as a Kakao[1]/Naver[2] Login Page’. The previous attacker set the fake login page with autocompleted IDs of trade, media, and North Korea-related individuals and organizations. In addition to that, the recently discovered web page used a similar tactic of having the ID of the target organization’s leader autocompleted in the recently created website.
When the user attempts to login, the threat actor comes into possession of the internal webmail website account credentials. This data is deemed as useful as procuring the account information of the target user’s portal website account credentials.
Figure 1. Webmail login page created to target North Korea-related business managers
Judging from the reverse DNS data-related IP/domain addresses and relevant …