A new instance of a phishing campaign that leverages a fake login page for French Ministry for Europe and Foreign Affairs (MEAE) has been found targeting foreign ministries of three different countries. Apart from ministries, four research-oriented organizations, five email service providers and United States-based two think tanks are also affected in the campaign.
How does the campaign operate?
The campaign was first discovered by Anomali Threat Research Team on August 9, 2019. The team found that the threat actors used a web page impersonating the French Ministry for Europe and Foreign Affairs (MEAE) to trick its victims. The fake web page ‘portalis.diplomatie.gouv.fr.doc-view[.]work’ looked the same as the legitimate site ‘diplomatie.gouv.fr’.
Researchers noted that if an official from any of the 12 agencies working for the MEAE is able to login to the portal, then it is possible that all twelve agencies are potential victims. This includes:
The domain used for the cyber espionage is hosted on the IP 157.7.184[.]15 and has several subdomains that appear to be designed to impersonate email providers like Yahoo, Outlook, and Google Services. Further analysis, highlights that the IP address is hosted by the Asia Pacific Network Information Centre (APNIC).
“There are multiple unrelated domains hosted on the same IP address because the IP address is shared. The IP is based in Japan and registered under the Japan Network Information Centre located in Tokyo,” added the researchers.
Anomali researchers also came across a malicious subdomain “securemail.stanford.doc-view[.]work” to mimic Stanford University’s Secure Email service - designed for faculty and staff who need to use email to send moderate or high risk data. The same domain also included five other fraudulent subdomains spoofing several institutions which include:
The identified IP address 157.7.184[.]15 overlaps in infrastructure related to a recent North Korean campaign called ‘Smoke Screen’. The ‘Smoke Screen’ reportedly used domain ‘bigwnet[.]com to distribute the Kimsuky Babyshark network trojan.