Over the past month Hunt tracked an ongoing phishing campaign likely tied to a North Korean threat actor targeting Google and Naver credentials, using a Binance spoof domain and targeted iframes to harvest user data. The exposed open directory also reveals an Xeno-RAT sample, KakaoTalk chat logs, and infrastructure overlaps with Kimsuky (APT43, Black Banshee, Thallium). #Kimsuky #APT43 #BlackBanshee #Thallium #XenoRAT #BinaceHomes #MasnailShop #NaverscorpShop #Google #Naver
Keypoints
- Campaign targets Google and Naver users for credential theft via phishing.
- Initial setup used a Binance spoof domain; phishing pages deployed via custom URL paths after Safe Browsing flagged the site.
- Open directory exposes Xeno-RAT sample, KakaoTalk logs, and cryptocurrency trading chatter.
- Network infrastructure and TLD usage show overlaps with Kimsuky-associated activity.
- In zk htaccess to reveal redirects and spoofed Gmail-like paths; multiple obfuscated JavaScript files observed.
- Xeno-RAT sample modified for C2 on port 4444 and encryption, with antivirus hits and potential YARA hints.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – The attack uses spoofed domains and phishing pages to harvest credentials via two iframes. Quote: “The phishing scheme incorporates two iframes: “gattach.html” mimicking a Google login error message, and a likely counterpart, “nattach.html” (the page currently returns a 500 error), designed for Naver.”
- [T1583] Acquire Infrastructure – Open directory and spoofed Binance domain used to host phishing pages and pivot to additional infrastructure. Quote: “an open directory… domain name (and later a website) spoofing well-known cryptocurrency exchange Binance.”
- [T1027] Obfuscated/Compressed Files and Information – Evidence of obfuscated JavaScript used in the campaign. Quote: “The attackers employed multiple obfuscated JavaScript files, the full functionality of which is still under investigation.”
- [T1059.007] Command and Scripting Interpreter: JavaScript – Indirectly evidenced by the obfuscated JavaScript files used in the phishing pages. Quote: “The attackers employed multiple obfuscated JavaScript files…”
- [T1071.001] Web Protocols – C2 communication details observed (port 4444) indicating server communication in the Xeno-RAT modification. Quote: “adding an encryption key… port 4444 (command and control communication)”
Indicators of Compromise
- [IP Address] context – 45.195.69[.]28, 27.255.75[.]158
- [Domains] context – binace[.]homes, masnail[.]shop, and 2 more domains
- [File] context – user0.bin
- [File Hash] context – user0.bin SHA1: 57cb8dca59c6fd0aab69c052c93fcece4fc3d0ff, user0 SHA1: d8591a62916984952383b789e8ab2697f4642c63