A phishing attack comparable to Operation Kitty targets South Koreans

April 21, 2022
Phishing Attack Operation Kitty South Korea

Researchers identified a new email phishing campaign connected to the threat actors called DPRK-nexus, which the campaign overlaps with the method currently used by Operation Kitty. The recent attacks also use malware-laden documents with several baits to lure victims and compromise their devices.

The phishing campaign was first identified by the researchers this month. The analysis showed that the attacks aimed to steal data from South Korean citizens.

The Koreans are heavily targeted with spear-phishing emails that include malicious Word files that pretend to be from several internet security firms such as Menlo Security, SaniTOX, and Ahnlab. The current campaign also spoofed the Korean Internet Information, which can be threatening to most users since it is widely used among South Koreans.

Moreover, the phishing campaign also impersonates cryptocurrency firms like Binance.

Subsequently, suppose an unaware user accesses the phishing document, it will automatically download the remote template to abuse the injection flaw tracked by researchers as CVE-2017-0199 to operate a malicious VBA script.

The malicious VBA code then behaves as a downloader for the subsequent phases of the kill chain by utilising two attached remote URLs. All the domains are created via Domain Generation Algorithm (DGA) and adopted for each payload in this campaign.

 

The phishing campaign also portrays different forms but similar attack processes to Operation Kitty.

 

The researchers then noted multiple strains of the phishing campaign with minimal tweaks in the killing process. In a separate drive, the threat actors had exploited the Windows Help File to obtain initial access and launch malware in the following stages.

On a related topic, the users registered on Naver South Korean online platform are being targeted by the threat actors using the campaign mentioned earlier.

The current spear-phishing attacks are unlikely to lessen in the next few months in intensity and frequency. Thus, individuals should employ drastic measures to spot such threats. An example of these preventive measures is to use reliable email security gateways, an inspection of emails for correct spellings & typos, and grammar accuracy. Most importantly, users must only access attachments from known and trustworthy sources.

About the author