Threat Research

Kimsuky APT Group Sets Sights on University Researchers – Resilience

Securonix

North Korean APT group Kimsuky targets university researchers and think tanks worldwide, using targeted phishing, social engineering, and DMARC-related misconfigurations to obtain credentials and steal sensitive research. The operation employs a Green Dinosaur webshell, compromised hosts, and a SendMail toolkit to impersonate legitimate university portals and lure victims, with notable OPSEC mistakes that led to data exposure. #Kimsuky #GreenDinosaur #SendMail #DongdukUniversity #KoreaUniversity #YonseiUniversity #Naver #AsanInstitute #AsanForum #DMARC

Keypoints

  • Group Identity: Kimsuky, a North Korean APT group, has been active since 2012.
  • Target Focus: Primarily targets South Korean think tanks and government entities, with interests in the U.S., U.K., and Europe.
  • Phishing Tactics: Utilizes targeted phishing campaigns with malicious attachments after establishing trust through email correspondence.
  • DMARC Exploitation: Exploiting misconfigured DMARC records for social engineering, as noted in NSA/FBI advisory.
  • OPSEC Mistakes: Operational security mistakes led to the collection of sensitive data including source code and credentials.
  • Espionage Goals: Aims to steal research and intelligence, particularly in nuclear and pharmaceutical sectors.
  • Technical Infrastructure: Uses compromised internet hosts and a webshell named “Green Dinosaur” for staging attacks.
  • Phishing Pages: Developed pages that mimic legitimate university login portals to capture credentials.
  • Indicators of Compromise: IOCs related to Kimsuky activities are available on GitHub.

MITRE Techniques

  • [T1566] Phishing – Targeted phishing campaigns to gain access to university networks. Quote: ‘Kimsuky conducts targeted phishing campaigns to gain access to university networks.’
  • [T1003] Credential Dumping – Captures user credentials from phishing pages designed to look like legitimate login portals. Quote: ‘Captures user credentials from phishing pages designed to look like legitimate login portals.’
  • [T1190] Exploitation of Public-Facing Applications – Uses webshells and compromised hosts to exploit vulnerabilities in public-facing applications. Quote: ‘Uses webshells and compromised hosts to exploit vulnerabilities in public-facing applications.’
  • [T1022] Data Encrypted – Utilizes obfuscation techniques to hide malicious code and prevent detection. Quote: ‘Utilizes obfuscation techniques to hide malicious code and prevent detection.’

Indicators of Compromise

  • [Domain] Staging infrastructure domains used by Kimsuky – audko.store, dorray.site, and 6 more domains
  • [URL] Phishing infrastructure endpoints – penlu.or.kr/data/view.php, drive.google.com/file/d/1ra7zb3K4BPF3qjJ-lNdWs_qQQeeR4z38/view
  • [Email Address] Phishing accounts used for campaigns – [email protected], [email protected], and 10 more items
  • [File] Credential harvesting scripts – j_spring_securty_check.php, login.php

Read more: https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/