Analysis of VAT Final Tax Return Payment Notification Phishing Email Suspected to be from Kimsuky (January 20, 2025)

Analysis of VAT Final Tax Return Payment Notification Phishing Email Suspected to be from Kimsuky (January 20, 2025)
This article analyzes a phishing email believed to be created by the Kimsuky group, which disguises itself as a notification for a value-added tax payment from the National Tax Service. The email appears legitimate but is linked to a Russian email address, exposing users to potential fraud. Affected: Kimsuky, email users, National Tax Service.

Keypoints :

  • The phishing email pretends to be a tax payment notification from the National Tax Service.
  • It includes a sense of urgency with a deadline for document viewing.
  • The emailโ€™s sender is linked to a Russian domain, raising suspicion.
  • Phishing links are present, leading to potentially malicious sites.
  • An analysis of the email header shows technical details suggesting illegitimacy.

MITRE Techniques :

  • Phishing (T1566) โ€“ The attack involves sending a deceptive email posing as an official document to trick users into clicking a link.

Indicator of Compromise :

  • [URL] hxxp://authurize.niduser.info.dns.cloud.check-info.o-r.kr
  • [Email Address] health-info@internet.ru
  • [IP Address] 89.221.237.244
  • [Domain] internet.ru
  • [Domain] mail.ru

Full Story: https://wezard4u.tistory.com/429393