Threat Actor: Kimsuky | Kimsuky
Victim: Various individuals and organizations in South Korea | South Korea
Price: Not applicable
Exfiltrated Data Type: Credentials and sensitive information
Key Points :
- Phishing attacks surged in South Korea starting October 2023, impersonating government services.
- Attackers used reputable domains like Biglobe and MyDomain to deploy phishing links.
- In September 2024, phishing emails began originating from fabricated Russian domains.
- Emails were actually sent from Korea, utilizing compromised servers, including Evangelia University in the U.S.
- The attacks focus on credential theft without the use of malware, exploiting user familiarity with financial institutions.
- The absence of malware may lead victims to underestimate the threat posed by these phishing campaigns.
- Stolen credentials can facilitate follow-up attacks and deeper network infiltration.
- Organizations and individuals must remain vigilant against evolving tactics from state-sponsored cyber campaigns.
Background
An investigation from Genians highlights a surge in phishing attacks in South Korea, starting in October 2023, with malicious actors impersonating government services like the “National Secretary.” Leveraging domains from reputable providers such as Japan’s Biglobe and Korea’s MyDomain, attackers deployed phishing links designed to steal credentials. These fake sites, masked as official portals or electronic document services, effectively duped users into divulging sensitive information.
A Shift in Tactics
While the early stages of the campaign relied heavily on Japanese and Korean email services, a notable shift occurred in September 2024, when phishing emails began originating from Russian domains such as “mmbox[.]ru” and “ncloud[.]ru.” However, investigations revealed these were fabricated sender addresses, with emails actually sent from Korea, exploiting tools like the “star 3.0” mailer from compromised servers such as Evangelia University in the U.S.
Phishing Without Malware
The attackers’ reliance on malwareless phishing is particularly interesting. By focusing on credential theft and impersonating financial institutions or cloud services like MYBOX, they exploit users’ familiarity with these services, circumventing traditional antivirus detection.
Implications and Response
The absence of malware in these campaigns may lull victims into underestimating the threat. Stolen credentials can enable follow-up attacks on associates or facilitate deeper infiltration into networks.
As the Kimsuky group continues to adapt its methods, organizations and individuals must stay alert to these evolving threats, which underscore the persistent ingenuity of state-sponsored cyber campaigns.
The post Kimsuky’s Phishing Attacks Evolve with Sophisticated Strategies appeared first on Daily Dark Web.