Kimsuky Hacking Group Adopts Malwareless Phishing, Evading Detection Systems

Kimsuky uses malwareless phishing tactics, Russian email services, and convincing sites to target researchers, institutions, and financial organizations, evading detection.

Researchers in South Korea have uncovered a shift in the tactics of the North Korean hacking group Kimsuky, which has begun employing malwareless phishing attacks designed to bypass major Endpoint Detection and Response (EDR) systems, as reported by Cyber Security News (CSN).

This group, active for several years, has targeted researchers and organizations that focus on North Korea. Its evolving strategies aim to evade detection and increase the success rate of its campaigns.

CSN reports that significant change in Kimsuky’s approach involves its email attack methods. Previously, the group relied heavily on Japanese email services for its phishing campaigns.

However, recent findings reveal a transition to Russian email services, making it more challenging for targets to identify suspicious communications and avoid potential compromises, says CSN.

Kimsuky has increasingly adopted malwareless phishing attacks, relying on carefully crafted URL-based phishing emails that lack malware attachments, rendering them harder to detect, according to CSN.

These emails often impersonate entities such as electronic document services, email security managers, public institutions, and financial organizations.

The group’s emails are highly sophisticated, frequently incorporating familiar financial themes to increase their credibility and the likelihood of user engagement, says CSN.

Reports have identified Kimsuky’s use of domains from “MyDomain[.]Korea,” a free Korean domain registration service, to create convincing phishing sites, notes CSN.

A timeline of activities detailed by Genians highlights the group’s gradual shift in domain usage, beginning with Japanese and US domains in April 2024, moving to Korean services by May, and eventually adopting fabricated Russian domains by September, says CSN.

These Russian domains, linked to a phishing tool called “star 3.0,” are registered to bolster the group’s campaigns. A file associated with these attacks, named “1.doc,” was flagged on VirusTotal, with some anti-malware services identifying it as connected to Kimsuky, reports CSN.

Interestingly, the group’s use of the “star 3.0” mailer ties back to earlier campaigns identified in 2021. At that time, the mailer was discovered on the website of Evangelia University, a US-based institution, and was linked to North Korean threat actors in reports by Proofpoint.

The evolving tactics of Kimsuky emphasize the need for vigilance among potential targets.

Cybersecurity experts recommend heightened scrutiny of suspicious communications, particularly those related to financial matters, and the adoption of advanced endpoint defenses.

Staying informed about the group’s methods and updating security policies in response to emerging threats are crucial for protecting sensitive information and maintaining robust cybersecurity measures.