The latest cyber attack by the North Korea-linked threat actor known as Kimsuky has targeted university staff, researchers, and professors in a bid to gather intelligence.
Cybersecurity firm Resilience recently uncovered these attack activities in July 2024 after spotting an operational security error made by the hackers.
Kimsuky, also referred to as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima, operates as one of several offensive cyber teams managed by the North Korean government and military.
The group is known for its spear-phishing campaigns to deliver custom tools for reconnaissance, data theft, and establishing remote access on infected systems.
These attacks involve using compromised hosts as staging infrastructure to deploy an obfuscated version of the Green Dinosaur web shell, previously highlighted by security researcher blackorbird in May 2024.
Furthermore, Kimsuky utilizes the web shell to upload phishing pages mimicking login portals for Naver and various universities, aiming to steal credentials from unsuspecting victims.
In addition to these tactics, victims are also redirected to a site hosting a fake invitation document to lure them into providing their credentials.
Resilience researchers noted, “Kimsuky’s phishing sites contain a non-target-specific phishing toolkit to gather Naver accounts.”
“This toolkit functions as a rudimentary proxy similar to Evilginx, capturing cookies and credentials by displaying pop-ups to users asking them to log in again due to server communication issues,” the researchers added.
The analysis also revealed Kimsuky’s use of a custom PHPMailer tool named SendMail to send phishing emails via Gmail and Daum Mail accounts.
To stay protected against such threats, users are advised to enable phishing-resistant multi-factor authentication (MFA) and carefully inspect URLs before entering login credentials.