Background
An investigation from Genians highlights a surge in phishing attacks in South Korea, starting in October 2023, with malicious actors impersonating government services like the “National Secretary.” Leveraging domains from reputable providers such as Japan’s Biglobe and Korea’s MyDomain, attackers deployed phishing links designed to steal credentials. These fake sites, masked as official portals or electronic document services, effectively duped users into divulging sensitive information.
A Shift in Tactics
While the early stages of the campaign relied heavily on Japanese and Korean email services, a notable shift occurred in September 2024, when phishing emails began originating from Russian domains such as “mmbox[.]ru” and “ncloud[.]ru.” However, investigations revealed these were fabricated sender addresses, with emails actually sent from Korea, exploiting tools like the “star 3.0” mailer from compromised servers such as Evangelia University in the U.S.
Phishing Without Malware
The attackers’ reliance on malwareless phishing is particularly interesting. By focusing on credential theft and impersonating financial institutions or cloud services like MYBOX, they exploit users’ familiarity with these services, circumventing traditional antivirus detection.
Implications and Response
The absence of malware in these campaigns may lull victims into underestimating the threat. Stolen credentials can enable follow-up attacks on associates or facilitate deeper infiltration into networks.
As the Kimsuky group continues to adapt its methods, organizations and individuals must stay alert to these evolving threats, which underscore the persistent ingenuity of state-sponsored cyber campaigns.
