Russian Emails Used by North Korean Kimsuky to Commit Credential Theft Attacks – Active IOCs
Contents
Analysis Summary
Kimsuky, a threat actor associated with North Korea, has been implicated in several phishing attacks that use email messages sent from Russian sender addresses to steal credentials. Up until early September, phishing emails were primarily transmitted over email providers in Korea and Japan. Then, starting in the middle of September, certain phishing emails that appeared to be from Russia were noticed.
VK's Mail.ru email service, which offers five distinct alias domains—mail.ru, internet.ru, bk.ru, inbox.ru, and list.ru—is being abused in this way. According to the researchers, the Kimsuky actors have been using all of the sender domains described above for phishing attempts that pose as online portals and financial organizations, such as Naver.
Messages imitating Naver's MYBOX cloud storage service have been used in other phishing attempts to fool users into clicking on links by creating a false feeling of urgency that dangerous files have been found in their accounts and that …
Kimsuky, a threat actor associated with North Korea, has been implicated in several phishing attacks that use email messages sent from Russian sender addresses to steal credentials. Up until early September, phishing emails were primarily transmitted over email providers in Korea and Japan. Then, starting in the middle of September, certain phishing emails that appeared to be from Russia were noticed.
VK's Mail.ru email service, which offers five distinct alias domains—mail.ru, internet.ru, bk.ru, inbox.ru, and list.ru—is being abused in this way. According to the researchers, the Kimsuky actors have been using all of the sender domains described above for phishing attempts that pose as online portals and financial organizations, such as Naver.
Messages imitating Naver's MYBOX cloud storage service have been used in other phishing attempts to fool users into clicking on links by creating a false feeling of urgency that dangerous files have been found in their accounts and that …
IoC
http://ncloud.ru
http://mmbox.ru
http://evangelia.edu
185.27.134.93
185.27.134.120
185.27.134.140
185.27.134.144
185.105.33.106
185.27.134.201
aa41e4883a9c5c91cdab225a0e82d86a
ab75a54c3d6ed01ba9478d9fecd443af
63c45dd760256bb2bee1eeb9e7d61601c90a752ff46832df39ca1a8d2376b281
dd6bbd76378fce03e2b72c904832e576d4576354
9255280904f85d01545d295a31038678d697325385be6c7c01435d541f16b043
2ff911b042e5d94dd78f744109851326
ac4f6bdd6d4ef009f1108c4c8a3d58e0a19d4f73b239202dd601b0aeba5ceb54
598b8a9b7bb134bdbf34503e109ec66a18dbbfa9
adb30d4dd9e1bbe82392b4c01f561e46
9837e850f9800cff7d4fd26a2d9ccbaa1960d50b
b591cbd3f585dbb1b55f243d5a5982bc
658a8856d48aabc0ecfeb685d836621b
aabaea027236e8605f4b89e3d9e2206993398af2
bf838c2e46696f79964709e29880604d7172f2a3ab0f3f41d7ff8216f053c557
82286cf6369eddd2e79d005a435623abe2db642c216d38550411865acf84210e
76ed57d6451f634255c664a89f7a64a062923c05
a6588c10d9c4c2b3837cd7ce6c43f72e
a75196b7629e3af03056c75af37f37cf
41bff8875d1f83b3af52b65cb7ce8ebca0e30bfd
aead266f97c936799f4d5f526482d41f74daf86f8fcf49976eecbc6260b59274
f8542e5567741c95a966cd1508c6d11ad0763440
3b2701a7d49a8d6002a2a202bac9b18b4bc917009da01591ab5b66f183f9c8e9
3cd67d99bcc8f3b959c255c9e8702e9f
08620755dabc0983eaf1320ac4c71d90b56ff1bb
f408dee7fa76179d826885c5c6f38acbcc11f3e3abba1f1f58068cdf833b4317
d8249f33e07479ce9c0e44be73d3deac
7bb3e2671b8ad6e2e1ffb9e8b022dfd677fdd31a
9534d277d796890affadb3d3861d22a61bfdbbdd
327426b389a87fb41c5150f18c8a3b1b5c671eb08107a3a6917baea3db686555
0def51118a28987a929ba26c7413da29
0dc17133b9d54b8d38f5a4f4c49eb0cee7ff2c80b1ea614fb59ca49c3721440b
6ead104743be6575e767986a71cf4bd9
44b072d3948f06cdc0be573aa62ce3ca0b80da1e
23c18fe6675b4dad5e1354718fa9bbb096ded4293948d318d0057b51642c4cbb
84c2e2d5d61ed9148a0057e951fdea641901874d
d1b5d606c866c304c3eb28fc52ed700c6b292e6e4387e0dac1a895e231bfe5b3
http://mmbox.ru
http://evangelia.edu
185.27.134.93
185.27.134.120
185.27.134.140
185.27.134.144
185.105.33.106
185.27.134.201
aa41e4883a9c5c91cdab225a0e82d86a
ab75a54c3d6ed01ba9478d9fecd443af
63c45dd760256bb2bee1eeb9e7d61601c90a752ff46832df39ca1a8d2376b281
dd6bbd76378fce03e2b72c904832e576d4576354
9255280904f85d01545d295a31038678d697325385be6c7c01435d541f16b043
2ff911b042e5d94dd78f744109851326
ac4f6bdd6d4ef009f1108c4c8a3d58e0a19d4f73b239202dd601b0aeba5ceb54
598b8a9b7bb134bdbf34503e109ec66a18dbbfa9
adb30d4dd9e1bbe82392b4c01f561e46
9837e850f9800cff7d4fd26a2d9ccbaa1960d50b
b591cbd3f585dbb1b55f243d5a5982bc
658a8856d48aabc0ecfeb685d836621b
aabaea027236e8605f4b89e3d9e2206993398af2
bf838c2e46696f79964709e29880604d7172f2a3ab0f3f41d7ff8216f053c557
82286cf6369eddd2e79d005a435623abe2db642c216d38550411865acf84210e
76ed57d6451f634255c664a89f7a64a062923c05
a6588c10d9c4c2b3837cd7ce6c43f72e
a75196b7629e3af03056c75af37f37cf
41bff8875d1f83b3af52b65cb7ce8ebca0e30bfd
aead266f97c936799f4d5f526482d41f74daf86f8fcf49976eecbc6260b59274
f8542e5567741c95a966cd1508c6d11ad0763440
3b2701a7d49a8d6002a2a202bac9b18b4bc917009da01591ab5b66f183f9c8e9
3cd67d99bcc8f3b959c255c9e8702e9f
08620755dabc0983eaf1320ac4c71d90b56ff1bb
f408dee7fa76179d826885c5c6f38acbcc11f3e3abba1f1f58068cdf833b4317
d8249f33e07479ce9c0e44be73d3deac
7bb3e2671b8ad6e2e1ffb9e8b022dfd677fdd31a
9534d277d796890affadb3d3861d22a61bfdbbdd
327426b389a87fb41c5150f18c8a3b1b5c671eb08107a3a6917baea3db686555
0def51118a28987a929ba26c7413da29
0dc17133b9d54b8d38f5a4f4c49eb0cee7ff2c80b1ea614fb59ca49c3721440b
6ead104743be6575e767986a71cf4bd9
44b072d3948f06cdc0be573aa62ce3ca0b80da1e
23c18fe6675b4dad5e1354718fa9bbb096ded4293948d318d0057b51642c4cbb
84c2e2d5d61ed9148a0057e951fdea641901874d
d1b5d606c866c304c3eb28fc52ed700c6b292e6e4387e0dac1a895e231bfe5b3