Summary:
This report highlights the ongoing phishing attacks attributed to the Kimsuky group, which have evolved to evade detection by utilizing various domains and tactics. The attackers have shifted their operations from Japan to Russia, employing malware-less strategies that exploit familiar financial themes to deceive victims. Organizations are urged to enhance their security measures, particularly through Endpoint Detection and Response (EDR) systems, to manage these threats effectively.
#Kimsuky #PhishingAttacks #EDR
This report highlights the ongoing phishing attacks attributed to the Kimsuky group, which have evolved to evade detection by utilizing various domains and tactics. The attackers have shifted their operations from Japan to Russia, employing malware-less strategies that exploit familiar financial themes to deceive victims. Organizations are urged to enhance their security measures, particularly through Endpoint Detection and Response (EDR) systems, to manage these threats effectively.
#Kimsuky #PhishingAttacks #EDR
Keypoints:
Phishing attacks are consistently reported globally, with URL phishing methods being particularly difficult to detect.
The Kimsuky group has been identified in numerous phishing attacks targeting individuals in North Korea-related fields.
Phishing emails often masquerade as legitimate communications from financial institutions or public services.
Attackers have been observed switching their phishing email origins from Japan to Russia to avoid detection.
Organizations should register scenario-based IoC data in EDR products to manage the initial influx of threats.
Phishing campaigns have been increasingly sophisticated, using familiar themes to lower the recipient’s suspicion.
Security measures must be enhanced to monitor and manage phishing threats effectively.
MITRE Techniques
Phishing (T1566): Utilizes deceptive emails to trick users into revealing sensitive information or credentials.
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
Credential Dumping (T1003): Attempts to steal user credentials from compromised systems.
Exploitation of Remote Services (T1210): Exploits vulnerabilities in remote services to gain unauthorized access.
IoC:
[domain] biglobe.ne[.]jp
[domain] 국민비서.메인[.]한국
[domain] 내도메인[.]한국
[domain] nsec[.]com
[domain] mmbox[.]ru
[domain] ncloud[.]ru
[domain] covd.2kool4u[.]net
[domain] ned.kesug[.]com
[domain] wud.wuaze[.]com
[domain] owna.loveslife[.]biz
[ip address] 185.27.134.201
[ip address] 185.27.134.144
[ip address] 185.105.33.106
[ip address] 185.27.134.140
[ip address] 185.27.134.93
[ip address] 185.27.134.120
[ip address] 185.27.134.144
[email] evangelia[.]edu
[file hash] adb30d4dd9e1bbe82392b4c01f561e46b591cbd3f585dbb1b55f243d5a5982bcd8249f33e07479ce9c0e44be73d3deac0def51118a28987a929ba26c7413da292ff911b042e5d94dd78f7441098513263cd67d99bcc8f3b959c255c9e8702e9f6ead104743be6575e767986a71cf4bd97ca1a603a7440f1031c666afbe44afc8658a8856d48aabc0ecfeb685d836621ba6588c10d9c4c2b3837cd7ce6c43f72ea75196b7629e3af03056c75af37f37cfaa41e4883a9c5c91cdab225a0e82d86aab75a54c3d6ed01ba9478d9fecd443af
Full Research: https://www.genians.co.kr/blog/threat_intelligence/kimsuky-cases