Threat actor linked to North Korea, Kimsuky, has been linked to a recent wave of cyberattacks intended to gather intelligence against researchers, professors, and university staff.
Kimsuky, a threat actor associated with North Korea, has been connected to a fresh series of cyberattacks aimed at academics, researchers, and university employees in an attempt to obtain intelligence. The behavior was discovered in late July 2024, according to cybersecurity company Resilience, when it noticed an operation security (OPSEC) error committed by the hackers. Kimsuky is just one of many offensive cyber teams led by the North Korean military and administration. Other names for Kimsuky include APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima.
Moreover, it is highly active, frequently using spear-phishing tactics as a springboard to offer an ever-expanding array of specialized tools for reconnaissance, data theft, and establishing permanent remote access to compromised hosts. The usage of compromised servers as staging infrastructure for the deployment of an obfuscated Green Dinosaur web shell—which is subsequently utilized to carry out file operations—is another characteristic of the attacks. Hauri, a South Korean security company, first brought attention to Kimuksy’s use of the web shell in May 2024. Green Dinosaur’s access is then misused to post pre-made phishing pages that seem like authentic login portals for Dongduk University, Yonsei University, and Naver, among other universities, in an attempt to obtain their credentials.
The victims are then taken to a different website, which leads them to a PDF file stored on Google Drive that appears to be an invitation to the August Forum of the Asan University for Policy Studies. “Additionally, on Kimsuky’s phishing sites, there is a non-target-specific phishing toolkit to gather Naver accounts,” the Resilience investigators stated.
“This toolkit is a rudimentary proxy akin to Evilginx for stealing cookies and credentials from visitors and shows pop-ups telling users they need to login again because communication with the server was disrupted.” The university investigation has also revealed that Kimsuky uses a unique PHPMailer program named SendMail, which is used to send phishing emails to targets via Gmail and Daum Mail accounts. It is advised that users use phishing-resistant multi-factor authentication (MFA) and carefully check the URLs before checking in to counter the threat.
Also read: Achieving Rapid Outcomes with AI-Driven Cloud Analytics
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.