lazarusholic

Everyday is lazarus.dayβ

Open Directory Exposes Phishing Campaign Targeting Google & Naver Credentials

2024-03-05, Hunt
https://hunt.io/blog/open-directory-exposes-phishing-campaign-targeting-google-and-naver-credentials
#Kimsuky #XenoRAT

Contents

Open Directory Exposes Phishing Campaign Targeting Google & Naver Credentials
March 05, 2024
Summary
- Over the past month, Hunt has tracked an ongoing phishing campaign by a likely North Korean threat actor focused on stealing Google and Naver credentials.
- The actor first registered a domain spoofing cryptocurrency exchange Binance, then began to set up targeted phishing pages using iframes once Google Safe Browsing tagged the site as malicious.
- In addition to the multiple spoofed Google and Naver pages, the open directory that led us to this discovery also hosts a copy of the open-source malware, Xeno-RAT, and KakaoTalk chat logs between unknown individuals discussing cryptocurrency trading.
- The network infrastructure and specific top-level domains (TLDs) used in this campaign contain multiple overlaps with the North Korean-linked APT group Kimsuky (APT43, Black Banshee, Thallium).
Overview
Hunt came across an interesting (based on ASN & server solution used) open directory, which initially only hosted a few folders. …

IoC

27.255.75.158
45.195.69.28
57cb8dca59c6fd0aab69c052c93fcece4fc3d0ff
d8591a62916984952383b789e8ab2697f4642c63
http://123.76.96.130
http://27.255.75.158
http://45.195.69.28
http://account.binace.homes
http://ccid.navincteam.shop
http://gcuser.eu
http://gduser.eu
http://geuser.eu
http://geuser.eu/li
http://ghuser.eu
http://giuser.eu
http://gjuser.eu
http://gmail/gduser.eu/index.php
http://goto2corp.binace.homes
http://guser.eu
http://hogmasil.lol
http://ilk.gduser.eu
http://jandfolg.lol
http://kidsmanagement-pa.client6.binace.homes
http://kortiosdfp.lol
http://masnail.shop
http://mil.masnail.shop
http://mmori.lol
http://naverscorp.shop
http://navincteam.shop
http://ncallserveiqnxme.store
http://nid.navincteam.shop
http://policy.navincteam.shop
http://ser.eu
http://soundcaptchanidid.navincteam.shop
http://stuff.gduser.eu/gmail/gduser.eu/index.php?/bad-page
http://stuff.ilk.gduser.eu/bad-page
http://support.binace.homes
http://user.eu
http://workspace.binace.homes
http://wwwcorpid.navincteam.shop
http://wwwid.navincteam.shop
https://binace.homes/middle/attach/PhishingURL
[email protected]
[email protected]
[email protected]