Kimsuky Phishing Operations Putting In Work
2020-09-28 • Threatconnect •
ThreatConnect believes that Kimsuky will continue to target journalism and civil society organizations, particularly those focusing on North Korean issues. Researching both the attacker’s infrastructure and tooling, we believe the nexus of the attack to be DPRK’s Kimsuky group (aka Velvet Chollima). Organizations reporting on North Korea human rights violations or working with North Korean defectors need to remain especially vigilant of phishing attacks that take advantage of the information sharing culture they are part of. Kimsuky is notorious for their phishing efforts; researchers even dubbed this group the “King of Spear Phishing” in a 2019 VirusBulletin paper.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 252d1b7a379f97fddd691880c1cf93e… | 2020-09-28 | 2020-11-02 |
| URL | http://wave.posadadesantiago.co… | 2020-09-28 | 2020-11-02 |
| DOMAIN | wave.posadadesantiago.com | 2020-09-28 | 2020-11-02 |
| URL | http://onedrive.sslport.work/sh… | 2020-09-28 | 2020-09-28 |
| DOMAIN | offerhubs.org | 2020-09-28 | 2020-09-28 |
| DOMAIN | doc-view.docomo.ne.org | 2020-09-28 | 2020-09-28 |
| DOMAIN | preview.manage.org | 2020-09-28 | 2020-09-28 |
| DOMAIN | login.yahoo.co.jp.org | 2020-09-28 | 2020-09-28 |
| DOMAIN | login.un-phish.bad.com | 2020-09-28 | 2020-09-28 |
| DOMAIN | login.aei.org | 2020-09-28 | 2020-09-28 |
| DOMAIN | amaniafrica-et.org | 2020-09-28 | 2020-09-28 |
| DOMAIN | login.gordonchang.org | 2020-09-28 | 2020-09-28 |
| DOMAIN | webmail.org | 2020-09-28 | 2020-09-28 |
| DOMAIN | login.microsoftonline.org | 2020-09-28 | 2020-09-28 |
| DOMAIN | login.yahoo.com-service.org | 2020-09-28 | 2020-09-28 |
| DOMAIN | login-yahoo.org | 2020-09-28 | 2020-09-28 |
| IPv4 | 108.62.141.33 | 2020-09-28 | 2020-09-28 |