Kimsuky, a North Korean APT group, employs targeted phishing campaigns, leveraging DMARC exploitation to conceal social engineering, infiltrate university networks, and steal research for the Reconnaissance General Bureau.  It aligns with North Korea’s goal of intelligence acquisition to advance its scientific capabilities, mirroring past actions of stealing nuclear, healthcare, and pharmaceutical research.  The recent exposure of Kimsuky’s OPSEC failures provides critical insights into their operations and reinforces the ongoing threat posed by this cyber espionage group.  Kimsuky leverages compromised internet hosts, including audko [store], dorray [site], and others, as staging grounds for attacks by deploying a heavily obfuscated webshell dubbed “Green Dinosaur,” derived from Indrajith Mini Shell 2.0, onto these compromised systems. “Green Dinosaur” webshell This webshell, stripped of unnecessary functions for evasion, enables remote operators to upload, download, rename, and delete files, facilitating the creation of phishing websites.  Kimsuky has crafted phishing pages mirroring legitimate university login portals, specifically targeting Dongduk, Korea, and Yonsei universities, which have been modified to capture credentials, bypass standard encryption, and redirect victims to a decoy PDF hosted on Google Drive.  The PDF, disguised as an invitation to the Asan Institute for Policy Studies August Forum, is likely a social engineering tactic to increase victim trust.

Source: GBHackers