Home Security North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks

North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks

by


Dec 03, 2024Ravie LakshmananThreat Intelligence / Email Security

The North Korea-aligned threat actor known as Kimsuky has been linked to a series of phishing attacks that involve sending email messages that originate from Russian sender addresses to ultimately conduct credential theft.

“Phishing emails were sent mainly through email services in Japan and Korea until early September,” South Korean cybersecurity company Genians said. “Then, from mid-September, some phishing emails disguised as if they were sent from Russia were observed.”

This entails the abuse of VK’s Mail.ru email service, which supports five different alias domains, including mail.ru, internet.ru, bk.ru, inbox.ru, and list.ru.

Genians said it has observed the Kimsuky actors leveraging all the aforementioned sender domains for phishing campaigns that masquerade as financial institutions and internet portals like Naver.

Cybersecurity

Other phishing attacks have entailed sending messages that mimic Naver’s MYBOX cloud storage service and aim to trick users into clicking on links by inducing a false sense of urgency that malicious files had been detected in their accounts and that they need to delete them.

Variants of MYBOX-themed phishing emails have been recorded since late April 2024, with the early waves employing Japanese, South Korea, and U.S. domains for sender addresses.

North Korean Kimsuky Hackers
Credential Theft Attacks

While these messages were ostensibly sent from domains such as “mmbox[.]ru” and “ncloud[.]ru,” further analysis has revealed that the threat actor leveraged a compromised email server belonging to Evangelia University (evangelia[.]edu) to send the messages using a PHP-based mailer service called Star.

It’s worth noting that Kimsuky’s use of legitimate email tools like PHPMailer and Star was previously documented by enterprise security firm Proofpoint in November 2021.

The end goal of these attacks, per Genians, is to carry out credential theft, which could then be used to hijack victim accounts and use them to launch follow-on attacks against other employees or acquaintances.

Cybersecurity

Over the years, Kimsuky has proven to be adept at conducting email-oriented social engineering campaigns, employing techniques to spoof email senders to appear as if they are from trusted parties, thus evading security checks.

Earlier this year, the U.S. government called out the cyber actor for exploiting “improperly configured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies to conceal social engineering attempts.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex