Researchers from Malwarebytes has identified the targeted operation by Kimsuky APT on south korean government using AppleSeed backdoor.Tweet
Malwarebytes Threat intelligence team is actively monitoring the threat actor Kimsuky APT ,which is commonly known as Thallium, Velvet Chollima,etc which is targeting government officials of South Korea via Phishing Websites, Malicious documents, and Scripts.
The intelligence team has said that this sophisticated attack has been designed to target the Korean Government which includes:
Ministry of Foreign Affairs, Republic of Korea 1st Secretary
Ministry of Foreign Affairs, Republic of Korea 2nd Secretary
Deputy Consul General at Korean Consulate General in Hong Kong
International Atomic Energy Agency (IAEA) Nuclear Security Officer
Ambassador of the Embassy of Sri Lanka to the State
Ministry of Foreign Affairs and Trade counselor
Besides targeting the government, they also observed that they have targeted universities and company such as Seoul National University and Daishin financial security as well.
Researchers stated, “The group has the capability to set up phishing infrastructure to mimic well known websites and trick victims to enter their credentials. This is one of the main methods used by this actor to collect email addresses that later will be used to send spearphishing emails. The group is still using similar phishing models previously mentioned in the KISA report with some small changes.”
Researchers had observed the threat actor has developed different phishing techniques to mimic web services such as Gmail, Microsoft Outlook, Hotmail, etc. for stealing credentials.
Threat intelligence team has released the different set of IOC’s which can be incorporated by the organization for detecting the attackers infrastructures.
URLs used for Phishing Attacks:
The researchers has observed the Twitter accounts to find and monitor its targets for well-crafted Spear-phishing attacks. “tjkim1991@gmail[.]com” is one such gmail accounts which was used by the group to register domains like “ns1.microsoft-office[.]us” and “ns2.microsoft-office[.]us”
C2 servers lists:
210.16.120[.]34 216.189.157[.]89 45.58.55[.]73 45.13.135[.]103 27.102.114[.]89 210.16.121[.]137 58.229.208[.]146 27.102.107[.]63 download.riseknite[.]life onedrive-upload.ikpoo[.]cf alps.travelmountain[.]ml texts.letterpaper[.]press
-–For more Cyber security news in crisp content . Please follow our site.