In a recent collaboration with NK News, SentinelLabs, a renowned cybersecurity firm, has uncovered a targeted social engineering campaign orchestrated by the North Korean Advanced Persistent Threat (APT) group known as Kimsuky. This campaign specifically targets experts in North Korean affairs, with the objective of stealing valuable credentials and delivering reconnaissance malware. As Kimsuky’s social engineering tactics continue to evolve, it is evident that the group is intensifying its interest in gathering strategic intelligence. In this article, we delve into the details of this sophisticated campaign and shed light on Kimsuky’s growing dedication to social engineering.
The Rise of Kimsuky: Kimsuky, an APT group suspected to be aligned with the North Korean government, has been operating since 2012 and has gained notoriety for its global targeting of organizations and individuals. Their modus operandi often involves employing targeted phishing and social engineering tactics to gain access to sensitive information. However, their recent campaign showcases a shift in focus towards experts in North Korean affairs, raising questions about their motives and the strategic intelligence they aim to gather.
Impersonating NK News: In their latest campaign, Kimsuky has set their sights on expert analysts of North Korean affairs by impersonating NK News, a leading subscription-based news and analysis service. By utilizing an attacker-created domain, nknews[.]pro, which closely resembles the legitimate NK News domain nknews.org, the group aims to deceive their targets and gain their trust. This approach demonstrates Kimsuky’s commitment to establishing early communication and fostering rapport with their victims.
The Elaborate Social Engineering Techniques: Kimsuky’s social engineering campaign begins with an initial email, impersonating Chad O’Carroll, the founder of NK News. The email requests the target’s assistance in reviewing a draft article analyzing the nuclear threat posed by North Korea. If the target responds, Kimsuky seizes the opportunity to deliver a spoofed URL to a Google document. This document redirects the target to a malicious website designed to capture their Google credentials. In addition, Kimsuky may employ weaponized Office documents that execute the ReconShark reconnaissance malware.
Theft of NK News Subscription Credentials: Kimsuky’s objectives extend beyond stealing email and Google credentials. The group also seeks to pilfer subscription credentials from NK News. To achieve this, they distribute emails that entice targeted individuals to log in on a malicious website, nknews[.]pro, masquerading as the authentic NK News site. The login form presented on this deceptive website is carefully designed to capture the entered credentials.
The Growing Interest in Strategic Intelligence: By meticulously targeting high-profile experts in North Korean affairs and stealing subscription credentials from reputable news and analysis outlets like NK News, Kimsuky displays a heightened curiosity in understanding how the international community perceives developments concerning North Korea. Their actions align with their broader objective of gathering strategic intelligence, which likely contributes to North Korea’s decision-making processes.
Conclusion: The recent social engineering campaign conducted by the North Korean APT group Kimsuky reveals their increasing dedication to sophisticated tactics aimed at stealing valuable credentials and delivering reconnaissance malware. By impersonating NK News and meticulously targeting experts in North Korean affairs, Kimsuky demonstrates their commitment to establishing trust and rapport with their victims. This evolving approach highlights their interest in gathering strategic intelligence and sheds light on the group’s role in shaping North Korea’s decision-making processes. As cybersecurity professionals and individuals, it is crucial to remain vigilant against such social engineering campaigns and take necessary precautions to protect sensitive information.
Indicators of Compromise
Indicator
Description
nknews[.]pro
Phishing email sender domain
chad.ocarroll@nknews[.]pro
Phishing email sender address
membership@nknews[.]pro
Phishing email sender address
https[://]www.nknews[.]pro
Website impersonating NK News
https[://]www.nknews[.]pro/config[.]php
Website impersonating NK News: b374k login site
https[://]www.nknews[.]pro/ip/register/
Website impersonating NK News: Fake NK News login site
https[://]www.nknews[.]pro/ip/register/login[.]php
Website impersonating NK News: NK News credential theft endpoint
https[://]staradvertiser.store/piece/ca[.]php
ReconShark payload hosting endpoint
https[://]staradvertiser.store/piece/r[.]php
ReconShark C2 server endpoint
162.0.209[.]27
Website impersonating NK News, ReconShark C2 server: IP address
4150B40C00D8AB2E960AA059159149AF3F9ADA09
Malicious document (password-protected): SHA1 hash
7514FD9E5667FC5085373704FE2EA959258C7595
Malicious document: SHA1 hash
41E39162AE3A6370B1100BE2B35BB09E2CBE9782
ReconShark: SHA1 hash