Open Directory Exposes Phishing Campaign Targeting Google & Naver Credentials
2024-03-05 • Hunt.io •
https://hunt.io/blog/open-directory-exposes-phishing-campaign-targeting-google-and-naver-credentials
Hunt investigated an open directory tied to a likely North Korean phishing campaign aimed at stealing Google and Naver credentials. The actor first hosted a Binance spoofing site, then shifted to custom phishing paths and iframe based credential theft after Google Safe Browsing marked the site malicious. The exposed server also contained Xeno-RAT, KakaoTalk cryptocurrency trading chat logs, transaction records, and screenshots, giving visibility into targeting and staging activity. Infrastructure details, including Let's Encrypt certificates, Apache servers, suspicious TLD choices, and Kimusky style .lol usage, overlapped with Kimsuky, APT43, Black Banshee, and Thallium reporting.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | d8591a62916984952383b789e8ab269… | 2024-03-05 | 2024-03-05 |
| HASH | 57cb8dca59c6fd0aab69c052c93fcec… | 2024-03-05 | 2024-03-05 |
| URL | http://stuff.gduser.eu/gmail/gd… | 2024-03-05 | 2024-03-05 |
| URL | https://binace.homes/middle/att… | 2024-03-05 | 2024-03-05 |
| URL | http://stuff.ilk.gduser.eu/bad-… | 2024-03-05 | 2024-03-05 |
| DOMAIN | stuff.ilk.gduser.eu | 2024-03-05 | 2024-03-05 |
| DOMAIN | stuff.gduser.eu | 2024-03-05 | 2024-03-05 |
| DOMAIN | binace.homes | 2024-03-05 | 2024-03-05 |
| IPv4 | 123.76.96.130 | 2024-03-05 | 2024-03-05 |
| IPv4 | 45.195.69.28 | 2024-03-05 | 2024-03-05 |
| IPv4 | 27.255.75.158 | 2024-02-21 | 2024-03-05 |