kimsuky

The Phishing email attack by Thallium against the Ministry of Unification

Recently, an email hacking attack analyzed by the conduct of the Thallium Group was discovered, The Thallium Group is currently carrying out the most active cyber espionage activity among groups active in South Korea and the United States, and is carrying out a number of attacks based on the contents of the recent 8th party conference in North Korea, mainly in politics, diplomacy, security, and unification.

The newly discovered attack is characterized by elaborate and subtle manipulation of the source, just like an e-mail from the Ministry of Unification, and the sender includes the address of’Ministry of Unification <[email protected]>’, so the user may be mistaken for being sent from the Ministry of Unification Very likely.

thallium phishing email

The is analyzed to have built a separate email server to manipulate the source address to look like the Ministry of Unification domain. In the body of the email, an image of the first page of the document, expressed as issued by the Ministry of Unification, is inserted, and a URL link is inserted at the bottom of the image as if a document from the Institute for National Unification (KINU) was attached to induce clicks.

At first glance, it seems that the analysis data of the Korea Institute for National Unification of Korea’s 8th Congress was included.In fact, it is an attack that uses a malicious link rather than a PDF attachment. When the link is clicked, the email recipient’s password is required instead of showing the document Screen appears.

At this time, if the password is entered, the information may be leaked to the attacker, revealing the contents of the e-mail, and there is a risk of being degraded into a perpetrator by stealing the account and sending a follow-up attack e-mail to neighbors. In addition, the sophistication of showing the document officially distributed by the Institute for National Unification to prevent people from recognizing the hacking damage immediately after the password is stolen is also visible.

However, the title of the current issue analysis-online series registered on the Korea Institute for National Unification (KINU) official website is the title of’Analysis of the 8th Congress of the Korean Workers’ Party (2): Economic and Sociocultural Fields’, while the’Chosun Workers’ Party Analysis of the 8th Congress (2)’Economic and social and cultural fields’ is different.

clip_image002

IOCs

naver.servehttp.com
attach.ddns.net
bigfile-naver.servepics.com
naver.serveblog.net
cafe-daum.ddns.net