The North Korea-linked threat actor known as Kimsuky has been linked to a new set of attacks targeting university staff, researchers, and professors for intelligence gathering purposes.
Cybersecurity firm Resilience said it identified the activity in late July 2024 after it observed an operation security (OPSEC) error made by the hackers.
Kimsuky, also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima, is just one of the myriad offensive cyber teams operating under the direction of the North Korean government and military.
It’s also very active, often leveraging spear-phishing campaigns as a starting point to deliver an ever-expanding set of custom tools to conduct reconnaissance, pilfer data, and establish persistent remote access to infected hosts.
The attacks are also characterized by the use of compromised hosts as staging infrastructure to deploy an obfuscated version of the Green Dinosaur web shell, which is then used to perform file operations. Kimuksy’s use of the web shell was previously highlighted by security researcher blackorbird in May 2024.
The access afforded by Green Dinosaur is then abused to upload pre-built phishing pages that are designed to mimic legitimate login portals for Naver and various universities like Dongduk University, Korea University, and Yonsei University with the goal of capturing their credentials.
Next, the victims are redirected to another site that points to a PDF document hosted on Google Drive that purports to be an invitation to the Asan Institute for Policy Studies August Forum.
“Additionally on Kimsuky’s phishing sites, there is a non-target specific phishing toolkit to gather Naver accounts,” Resilience researchers said.
“This toolkit is a rudimentary proxy akin to Evilginx for stealing cookies and credentials from visitors and shows pop-ups telling users they need to login again because communication with the server was disrupted.”
The analysis has also shed light on a custom PHPMailer tool used by Kimsuky called SendMail, which is employed to send phishing emails to the targets using Gmail and Daum Mail accounts.
To combat the threat, it’s recommended that users enable phishing-resistant multi-factor authentication (MFA) and scrutinize the URLs before logging in.
