Cyberattackers target experts in North Korea
According to SentinelLabs, a North Korean APT organization known as Kimsuky is conducting a social engineering effort against specialists in North Korean issues.
The attack started with an email from a phony North Korean News account. The email requests that the recipient study a draft piece regarding North Korea’s nuclear danger. If the recipient clicks on the link in the email, they are sent to a fake Google Docs page that requests their login information. After entering the credentials, they are transmitted to Kimsuky. Kismuky then steals the news service’s important Google and subscriber credentials.
Kimsuky can then use the credentials to get access to the victim’s email, social media, and other internet accounts. They can also use the credentials to conduct other assaults, such as phishing campaigns or ransomware operations. Kimsuky’s major marketing approach mimics Chad O’Carroll, the founder of NK News and the linked holding business Korea Risk Group. They set up an attacker-controlled domain, nknews[.]pro, that looks very similar to the official NK News domain, nknews.org.
According to the researchers, Kimsuky uses HTML-formatted spear-phishing emails to begin interacting with the victims. These emails, which impersonate NK News leadership, include no harmful components and are intended to encourage additional participation without raising suspicion.
Once the target has participated in the dialogue, the APT group sends an email with a link to a Google document. If the receiver does not respond, the threat actors send a reminder email to compel a response. The attackers change the URL by changing the href HTML element to go to a website they control.
The sources for this piece include an article in SecurityAffairs.