The research team at Cluster25 has traced a new phishing email campaign attributed to the DPRK-nexus threat actor. The campaign shares similarities with Operation Kitty Phishing and uses malicious documents with different lures to compromise its victims.
An insight into the spear-phishing campaign
According to researchers, the campaign was first observed in April and aims to steal data from individuals in South Korea.
- They are targeted via spear-phishing emails that include malicious Word documents pretending to be from the Korean Internet Information Center, internet security firms (e.g. AhnLab, Menlo Security, and SaniTOX), or cryptocurrency firms (eg. Binance).
- If the malicious document is opened, it downloads the remote template to exploit the injection vulnerability (tracked as CVE-2017-0199) to execute a malicious VBA script.
- The VBA code acts as a downloader for the next stage of the kill chain using two embedded remote URLs.
- In this campaign, all the domains are generated through a Domain Generation Algorithm (DGA) and vary for each payload.
Worth noting
- Cluster25 researchers noted that there are several variants of the described campaign with minimal changes in the kill chain. In one campaign, the threat actor had leveraged Windows Help File (CHM) to gain initial access and deploy malware in the next stage.
- Additionally, users registered on Naver South Korean online platform are being targeted in the campaign.
Conclusion
Spear-phishing campaigns are unlikely to abate in the foreseeable future in terms of frequency and intensity. Therefore, users must take extra precautions to identify such threats. This includes using reliable email security gateways and inspection of emails for typos and inaccurate grammar. Additionally, users must only open attachments from trusted sources. When in doubt, check with the sender directly.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/78e5_shutterstock_730570690.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/33f3_shutterstock_163531841.jpg)
