Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence

MITRE Techniques

• [T1566.002] Phishing: Spearphishing Link – The URL’s destination is manipulated through the spoofing technique of setting the href HTML property to direct to a website created by Kimsuky. ‘The URL’s destination is manipulated through the spoofing technique of setting the href HTML property to direct to a website created by Kimsuky.’
• [T1566.001] Phishing: Spearphishing Attachment – Password-protected weaponized Office documents that deploy the ReconShark reconnaissance malware. ‘password-protected weaponized Office documents that deploy the ReconShark reconnaissance malware.’
• [T1056.003] Input Capture – The JavaScript code captures entered credentials by issuing an HTTP POST request to https://www.nknews.pro/ip/register/login.php. ‘The JavaScript code captures entered credentials by issuing an HTTP POST request to https://www.nknews.pro/ip/register/login.php’
• [T1071.001] Web Protocols – ReconShark communicates with a C2 server hosted at staradvertiser.store, using domain and IP references. ‘ReconShark payload hosting endpoint’ / ‘ReconShark C2 server endpoint’ / ‘162.0.209.27’ (C2-related activity).
• [T1566.003] Phishing via Service – The fake NK News login site impersonates NK News and collects credentials via nknews.pro. ‘domain nknews.pro masquerades as the authentic NK News site’.
• [T1027] Data Encoding – The base-64 encoded segment in the URL query resolves to the target’s email address. ‘Base-64 encoded segment … resolves to the target’s email address.’