Integrated security company ESTsecurity (CEO Jeong Sang-won) warned on the 28th of special caution due to a new APT campaign hacking attack by a well-known North-Korean linked hacking group 'Thallium' being detected.

This attack is different from the typical spear phishing attack technique, which attaches malicious files to emails, but instead used a social engineering phishing method that induces clicking on the URL link address in the body of the text, disguised as if it were recent current political news.

First, the threat actor targeted North Korea experts who are active in the field of North Korean affairs as the main target of this attack and demonstrated meticulousness by lowering the guard of the recipients, disguising themselves as if SK Group Chairman Chey Tae-won, the legal son-in-law of the late former President Roh Tae-woo, visited a mourning station located in Seoul National University Hospital and the news that he was leaving for a business trip to the USA, as reported by Naver news.

According to ESTsecurity's Security Response Center (hereinafter ESRC), the phrases used in the attack and the fake site screen were found to have illegally quoted the actual content from a real news article from a certain media outlet.

The emails used in the attack had the sender and address manipulated as 'NAVER NEWS', but the actual source was revealed to be the Bulgarian email service 'mail.bg', which has been used several times by cyber threat organizations linked to North Korea. Additionally, upon closer inspection of the email, it can be noted that the source was deviously disguised with the alphabet c o r n instead of a .com domain.

The hacking email body contains two links to [Go to news], both leading to an overseas server 'nid.livelogin365.in[.]net'. Accessing this address may reveal the user's IP address and some web browser information, with the potential for additional malicious files being installed according to the attacker's intent. Afterward, users are diverted to 'nnews.naver-con.cloudns[.]cl' and presented with a fake screen disguised as the actual news content.

The same threat actors, widely known to be associated with the North Korean Reconnaissance General Bureau, have primarily used attacks embedding malicious macro commands in DOC, XLS documents or exploiting PDF vulnerabilities (CVE-2020-9715). However, this time, fake links were inserted into the email content to check for clicks and minimize the detection of external threats during the scouting phase.

According to analysis by ESRC, the attack was identified as the work of the North Korean-linked hacking group 'Thallium' named by Microsoft, revealed to be part of a FakeStriker campaign targeting activists in the North Korean field.

By comprehensively analyzing the source of the attack, the Command and Control (C2) server address, and the similarity of past malicious file codes used by the threat actor, ESTsecurity confirmed the unique commonalities in the activities of the organization, and reported that the level of threat posed by them is increasingly vigorous.

ESRC Center Manager Jonghyun Moon stated, "Using real news that is socially focused to stimulate curiosity in the recipients and lure them into accessing malicious links is an intelligent hacking method that continues to target North Korean sector workers", and advised, "Especially for experts in the fields of diplomacy, security, defense, unification, and those specialized in North Korean affairs, it's always safer to be cautious of unexpected emails from senders you have not seen before or that arrive unexpectedly."

ESTsecurity has completed the emergency update of the newly discovered malicious phishing address and is closely cooperating with related ministries and agencies to prevent the spread of damage.