In a recent collaboration with NK News, SentinelLabs, a renowned cybersecurity firm, has uncovered a targeted social engineering campaign orchestrated by the North Korean Advanced Persistent Threat (APT) group known as Kimsuky. This campaign specifically targets experts in North Korean affairs, with the objective of stealing valuable credentials and delivering reconnaissance malware. As Kimsuky’s social engineering tactics continue to evolve, it is evident that the group is intensifying its interest in gathering strategic intelligence. In this article, we delve into the details of this sophisticated campaign and shed light on Kimsuky’s growing dedication to social engineering.
The Rise of Kimsuky: Kimsuky, an APT group suspected to be aligned with the North Korean government, has been operating since 2012 and has gained notoriety for its global targeting of organizations and individuals. Their modus operandi often involves employing targeted phishing and social engineering tactics to gain access to sensitive information. However, their recent campaign showcases a shift in focus towards experts in North Korean affairs, raising questions about their motives and the strategic intelligence they aim to gather.
Impersonating NK News: In their latest campaign, Kimsuky has set their sights on expert analysts of North Korean affairs by impersonating NK News, a leading subscription-based news and analysis service. By utilizing an attacker-created domain, nknews[.]pro, which closely resembles the legitimate NK News domain nknews.org, the group aims to deceive their targets and gain their trust. This approach demonstrates Kimsuky’s commitment to establishing early communication and fostering rapport with their victims.
The Elaborate Social Engineering Techniques: Kimsuky’s social engineering campaign begins with an initial email, impersonating Chad O’Carroll, the founder of NK News. The email requests the target’s assistance in reviewing a draft article analyzing the nuclear threat posed by North Korea. If the target responds, Kimsuky seizes the opportunity to deliver a spoofed URL to a Google document. This document redirects the target to a malicious website designed to capture their Google credentials. In addition, Kimsuky may employ weaponized Office documents that execute the ReconShark reconnaissance malware.
Theft of NK News Subscription Credentials: Kimsuky’s objectives extend beyond stealing email and Google credentials. The group also seeks to pilfer subscription credentials from NK News. To achieve this, they distribute emails that entice targeted individuals to log in on a malicious website, nknews[.]pro, masquerading as the authentic NK News site. The login form presented on this deceptive website is carefully designed to capture the entered credentials.
The Growing Interest in Strategic Intelligence: By meticulously targeting high-profile experts in North Korean affairs and stealing subscription credentials from reputable news and analysis outlets like NK News, Kimsuky displays a heightened curiosity in understanding how the international community perceives developments concerning North Korea. Their actions align with their broader objective of gathering strategic intelligence, which likely contributes to North Korea’s decision-making processes.
Conclusion: The recent social engineering campaign conducted by the North Korean APT group Kimsuky reveals their increasing dedication to sophisticated tactics aimed at stealing valuable credentials and delivering reconnaissance malware. By impersonating NK News and meticulously targeting experts in North Korean affairs, Kimsuky demonstrates their commitment to establishing trust and rapport with their victims. This evolving approach highlights their interest in gathering strategic intelligence and sheds light on the group’s role in shaping North Korea’s decision-making processes. As cybersecurity professionals and individuals, it is crucial to remain vigilant against such social engineering campaigns and take necessary precautions to protect sensitive information.
Indicators of Compromise
Phishing email sender domain
Phishing email sender address
Phishing email sender address
Website impersonating NK News
Website impersonating NK News: b374k login site
Website impersonating NK News: Fake NK News login site
Website impersonating NK News: NK News credential theft endpoint
ReconShark payload hosting endpoint
ReconShark C2 server endpoint
Website impersonating NK News, ReconShark C2 server: IP address
Malicious document (password-protected): SHA1 hash
Malicious document: SHA1 hash
ReconShark: SHA1 hash