Posted on Leave a comment

Malwarebytes Researchers Uncovers Targeted Operation on South Korean Government.

Researchers from Malwarebytes has identified the targeted operation by Kimsuky APT on south korean government using AppleSeed backdoor.

Malwarebytes Threat intelligence team is actively monitoring the threat actor Kimsuky APT ,which is commonly known as Thallium, Velvet Chollima,etc which is targeting government officials of South Korea via Phishing Websites, Malicious documents, and Scripts.

The intelligence team has said that this sophisticated attack has been designed to target the Korean Government which includes:

Ministry of Foreign Affairs, Republic of Korea 1st Secretary

Ministry of Foreign Affairs, Republic of Korea 2nd Secretary

Trade Minister

Deputy Consul General at Korean Consulate General in Hong Kong

International Atomic Energy Agency (IAEA) Nuclear Security Officer

Ambassador of the Embassy of Sri Lanka to the State

Ministry of Foreign Affairs and Trade counselor

Besides targeting the government, they also observed that they have targeted universities and company such as Seoul National University and Daishin financial security as well.

Researchers stated, “The group has the capability to set up phishing infrastructure to mimic well known websites and trick victims to enter their credentials. This is one of the main methods used by this actor to collect email addresses that later will be used to send spearphishing emails. The group is still using similar phishing models previously mentioned in the KISA report with some small changes.”

Source: Malwarebytes

Researchers had observed the threat actor has developed different phishing techniques to mimic web services such as Gmail, Microsoft Outlook, Hotmail, etc. for stealing credentials.

Threat intelligence team has released the different set of IOC’s which can be incorporated by the organization for detecting the attackers infrastructures.

URLs used for Phishing Attacks:

http://accounts[.]goggle[.]hol[.]es/MyAccount
https://myaccount[.]google[.]newkda[.]com/signin
http://myaccount[.]google[.]newkda[.]com/signin
http://myaccount[.]google[.]nkaac[.]net/signin
https://myaccounts-gmail[.]autho[.]co/signin
http://myaccounts-gmail[.]kr-infos[.]com/signin
http://myaccount[.]cgmail[.]pe[.]hu/signin
https://accounts[.]google-manager[.]ga/signin
https://accounts[.]google-signin[.]ga/v2
https://myaccount[.]google-signin[.]ga/signin
https://account[.]grnail-signin[.]ga/v2
https://myaccount[.]grnail-signin[.]ga/v2
https://myaccounts[.]grnail-signin[.]ga/v2
https://accounts[.]grnail-signin[.]ga/v2
https://protect[.]grnail-signin[.]ga/v2
https://accounts[.]grnail-signing[.]work/v2
https://myaccount[.]grnail-signing[.]work/v2
https://myaccount[.]grnail-security[.]work/v2
https://signin[.]grnail-login[.]ml
https://login[.]gmail-account[.]gq
https://signin[.]gmrail[.]ml
https://login[.]gmeil[.]kro[.]kr
https://account[.]googgle[.]kro[.]kr

The researchers has observed the Twitter accounts to find and monitor its targets for well-crafted Spear-phishing attacks. “tjkim1991@gmail[.]com” is one such gmail accounts which was used by the group to register domains like “ns1.microsoft-office[.]us” and “ns2.microsoft-office[.]us”

C2 servers lists:

210.16.120[.]34
216.189.157[.]89
45.58.55[.]73
45.13.135[.]103
27.102.114[.]89
210.16.121[.]137
58.229.208[.]146 
27.102.107[.]63
download.riseknite[.]life
onedrive-upload.ikpoo[.]cf
alps.travelmountain[.]ml
texts.letterpaper[.]press

Malware bytes Threat intelligence team has released the detailed analysis of this APT group on their site.

-–For more Cyber security news in crisp content . Please follow our site.

Leave a Reply