# Kimsuky Phishing Operations Putting In Work

**[threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/](https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/)**

## Executive Summary


September 28, 2020


Recently, an international NGO that provides threat sharing and analysis support to frequently
targeted communities reached out to ThreatConnect wanting to learn more about the origins of a
targeted phishing attack they were researching. Researching both the attacker’s infrastructure
and tooling, we believe the nexus of the attack to be DPRK’s Kimsuky group (aka Velvet
Chollima). Kimsuky is notorious for their phishing efforts; researchers even dubbed this group the
[“King of Spear Phishing” in a 2019 VirusBulletin paper. They are also believed to be behind the](https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/)
attacks on [Korea Hydro & Nuclear Power in 2014. The potential targets identified in this research](https://www.reuters.com/article/us-nuclear-southkorea-northkorea/south-korea-blames-north-korea-for-december-hack-on-nuclear-operator-idUSKBN0MD0GR20150317)
range from journalism to civil society organizations. We suspect the activity discussed here to be
part of Kimsuky’s efforts to harvest credentials for espionage purposes though we can’t rule out
for certain that they aren’t other objectives.

The international NGO requested that we not share the contents of the phish or point out the
organization they are working with. To protect their identity we will share our findings starting from
[the Kimsuky nexus, which emanates from research published by Korean security firm](https://translate.google.com/translate?sl=auto&tl=en&u=https%3A%2F%2Fblog.alyac.co.kr%2F3052)
ESTSecurity on a malicious document. From there, we’ll build out an understanding of additional,
associated infrastructure and potential targets gleaned from those findings.

### Kimsuky Nexus

[ESTSecurity inspected a malicious lure document discussing North Korean defectors. This lure](https://translate.google.com/translate?sl=auto&tl=en&u=https%3A%2F%2Fblog.alyac.co.kr%2F3052)
document contained a UPX packed binary that reached out to wave[.]posadadesantiago[.]com.
Based upon their report we believe SHA256:
[252d1b7a379f97fddd691880c1cf93eaeb2a5e5572e92a25240b75953c88736c, either is or is](https://app.threatconnect.com/auth/indicators/details/file.xhtml?file=9F5EDB6D8A230C06512464FE84DB0056&owner=Common%20Community#/)
strikingly similar to the document discussed in their blog post based on these similarities:

Lure document text matches the screenshot


-----

Figure 1: Screen Shot From
252d1b7a379f97fddd691880c1cf93eaeb2a5e5572e92a25240b75953c88736c

The binary used the same string obfuscation technique
C2 URL hxxp://wave[.]posadadesantiago[.]com/home/dwn.php?van=101
Malicious document VBA code similarities with what’s shown in the screenshots
Digital signature signer name EGIS CO., Ltd. in the dropped file

We’ll use this document as the launching point to discover additional infrastructure most likely
associated with this attack.

## Find All the Things

Before we get into our findings, we want to call out the infrastructure hunting techniques utilized
below. Starting with a domain, we’ll look at the IP that hosts the domain and how many other
domains are hosted there. In cases where very few and/or similar domains are hosted at the IP,
we can assess with a reasonable level of confidence that the IP is dedicated to a single user.


-----

Figure 2: Domain to Hosted On IP to Hosts Domains

The second primary technique used is pivoting off of similar subdomain values which use
reasonably unique strings. Think of this as searching on the beginning or middle of a multilevel
domain name. Using login.un-phish.bad[.]com as a contrived example we’d search on login.unphish.* to see what other domains this subdomain was used under. The trick here is not
searching on a common string. Subdomain inspection can also hint at the activity behind the
domain or even who might be targeted. For example, seeing a URL starting with login suggests
that the URL is being used to harvest credentials. Finally, while infrastructure hunting may seem
more like an art than a science; remember to always look for additional data points like registrar
or hosting information to corroborate the results.

VirusTotal (VT) provides additional information on the malicious document. Here we are looking
for any In The Wild (ITW) file origin URLs listed. These URLs sometimes show IPs or domains
that served up the file. VT returns this ITW file origin URL:

hxxp://onedrive.sslport[.]work/share/file/interview%20with%20a%20north%20korean%20defector.doc
[(VT Link)](https://www.virustotal.com/gui/url/4444c37c684a628be261cabf8736271e753d883b46f0123fabb753720a2c1a16/details)

We now have a domain, let’s start the pivots!


-----

### IP Pivot

Taking this domain, sslport[.]work, pivot off the IP hosting the domain to uncover a number of
domains hosted on the same IP.

Figure 3: sslport[.]work to IP to Domains to IP to Domains

IP: 108.62.141.33

com-download[.]work
com-option[.]work
com-sslnet[.]work
com-ssl[.]work
com-vps[.]work
desk-top[.]work


-----

intemet[.]work
jp-ssl[.]work
org-vip[.]work
sslport[.]work
sslserver[.]work
ssltop[.]work
taplist[.]work
vpstop[.]work
webmain[.]work

The domain com-download[.]work stands out as it was referenced in an article linked from the
ESTSecurity article above. The [article describes a phishing attempt against the Korean Studies](https://translate.googleusercontent.com/translate_c?depth=1&pto=aue&rurl=translate.google.com&sl=auto&sp=nmt4&tl=en&u=https://www.rfa.org/korean/in_focus/nkhacking-05292020160533.html&usg=ALkJrhjv1NquqHlzN_8cgoKTjigGU1AwAQ)
Institute at George Washington University.

Next, let’s look into subdomains used.

### Enumerating Subdomains

Focusing on sslport[.]work again, we see some interesting subdomains under the pDNS tab in
DomainTools Iris:

Figure 4: sslport[.]work pDNS

These two entries:

mail.rfanews.sslport[.]work
mail.rfa.sslport[.]work


-----

[lead to a potential target — Radio Free Asia, a](https://www.rfa.org/)
broadcast organization that consistently reports on
North Korea. The usage of RFA in the subdomain
is suspicious but we can’t say for certain they were
a target as their likeness may have been used in
attacks against other organizations.

Pulling on another thread from the same IP, we
find another potential target. These three entries
appear when looking at the pDNS data in
DomainTools for the IP 108.62.141[.]33.

Figure 6: 108.62.141[.]33 pDNS

registry.ohchr.tlsmain[.]work
www[.]registry[.]ohchr[.]tlsmain[.]work
www[.]intranet[.]ohchr[.]tlsmain[.]work


Figure 5: Radio Free Asia


Immediately ohchr jumps out as it may spoof the “Office of the United Nations High
Commissioner for Human Rights”.


-----

But wait! The trail does not stop here.


Figure 7: OHCHR


-----

### Subdomain String Pivot

Pivoting off of the subdomain string intranet.ohchr.* using DomainTools Iris we identify additional,
most likely related, domains.

Figure 8: Subdomain String Pivot

In particular these three domains appear to be related:

intranet.ohchr.account-protect[.]work
intranet.ohchr.org-view[.]work
intranet.ohchr.org-view[.]pw

Upon inspecting org-view[.]work further we find:

amaniafrica-et.org-view[.]work
doc-view.docomo.ne.org-view[.]work
intranet.ohchr.org-view[.]work
login-yahoo.org-view[.]work
login.aei.org-view[.]work
login.gordonchang.org-view[.]work
login.microsoftonline.org-view[.]work
login.un.org-view[.]work
login.yahoo.co.jp.org-view[.]work
login.yahoo.com-service.org-view[.]work
offerhubs.org-view[.]work
ohchr.org-view[.]work
preview.manage.org-view[.]work
spurgentaction.in.ohchr.org-view[.]work
www.intranet.ohchr.org-view[.]work
webmail.org-view[.]work

Additional potential targets can be gleaned from this list.  At a high level these targets are civil
society organizations.

First, the subdomain amaniafrica-et appears to be masquerading as amaniafrica-et.org.

In addition to being a civil society organization, interest in this organization could be due to
commercial ties North Korea has had with different African nations over the years, according to
the [Washington Post.](https://www.washingtonpost.com/world/africa/north-koreas-surprising-lucrative-relationship-with-africa/2017/07/10/c4e6f65d-30fe-4bd2-b178-d90daaac3007_story.html)


-----

The next one on the
list that jumps out is
the American
Enterprise Institute
(AEI). According to
their [website, AEI](https://www.aei.org/about/)
focuses on defending
human dignity.

## Connecting the Dots


Figure 9: Amani Africa Logo from their website

Figure 10: AEI from their site


Connecting the indicators with the potential targets graphically, we see a fair number of resources
targeting OHCHR.


-----

Figure 11: Adventure Graph (click to enlarge)

## Timeline

Taking just the domains and subdomains in this article and mapping it to a timeline, we can see
the continuous efforts Kimsuky is going through to gather credentials. The activity covered here,
according to DomainTool’s Iris, goes back as far as December of 2019 and is as recent as August
of this year.

## Potential Targets Uncovered

Based on the identified subdomains, the following organizations are possible targets of this
campaign, or their likeness was spoofed in targeting other organizations:

Amani Africa


-----

Radio Free Asia
American Enterprise Institute
Office of the United Nations High Commissioner for Human Rights

In addition to these, Korean Studies Institute at George Washington University didn’t have a
subdomain that was indicative of them being targeted; however, they were still found via
infrastructure pivoting along with a public report of them being targeted. For the rest, we
acknowledge that the subdomains used could be indicative of the target; they could also be used
to go after third parties that might trust those organizations.

## Conclusion

ThreatConnect believes that Kimsuky will continue to target journalism and civil society
organizations, particularly those focusing on North Korean issues. Organizations reporting on
North Korea human rights violations or working with North Korean defectors need to remain
especially vigilant of phishing attacks that take advantage of the information sharing culture they
are part of. Be wary of any link and/or attachment, especially those asking for credentials, and
enable two factor authentication to mitigate actors’ access with compromised credentials.

## Appendix

[ThreatConnect Incident](https://app.threatconnect.com/auth/incident/incident.xhtml?incident=4101914816#/)
[IoC CSV](https://threatconnect.com/wp-content/uploads/ThreatConnect-Kimsuky-Phishing-Operations-Putting-In-Work-IoC.csv)


-----