Tuesday, February 18, 2025
HomeCyber CrimeNorth Korean Hackers Abuse DMARC To Legitimize Their Emails

North Korean Hackers Abuse DMARC To Legitimize Their Emails

Published on

SIEM as a Service

Follow Us on Google News

DMARC is targeted by hackers as this serves to act as a preventative measure against email spoofing and phishing attempts. 

They compromise DMARC (Domain-based Message Authentication Reporting and Conformance) so that they can evade email authentication protocols, consequently enabling them to mimic authentic senders and mislead recipients. 

This way they can put up more conceivable and advantageous phishing campaigns that lead to either making money or stealing data.

Cybersecurity researchers at ProofPoint recently discovered that North Korean hackers are actively abusing the DMARC to legitimize their illicit emails.

DMARC Abuse

Proofpoint tracks the North Korean state-aligned group TA427 (aka Emerald Sleet, APT43, THALLIUM, Kimsuky), which conducts phishing campaigns targeting experts on U.S. and South Korean foreign policy for the Reconnaissance General Bureau. 

Since 2023, TA427 has directly solicited opinions from foreign policy experts on nuclear disarmament, U.S.-ROK policies, and sanctions via innocent conversation-starting emails.

Free Live Webinarfor DIFR/SOC Teams: Securing the Top 3 SME Cyber Attack Vectors - Register Here.

Researchers observed a steady and sometimes increasing stream of this activity.

While TA427 consistently relies on social engineering and rotating email infrastructure, in December 2023, it began abusing lax DMARC policies for persona spoofing and incorporated web beacons for target profiling in February 2024.

Volume of TA427 phishing campaigns (Source – ProofPoint)

TA427 is a skilled social engineering threat actor likely supporting North Korean strategic intelligence collection on U.S. and South Korean foreign policy initiatives. 

By engaging targets over extended periods through rotating aliases and innocent conversations, TA427 builds rapport to solicit opinions and analysis, especially around foreign policy negotiation tactics. 

Leveraging customized, timely lure content and spoofing familiar DPRK researchers, TA427 requests targets share thoughts via email, papers, or articles rather than directly delivering malware or credential harvesting. 

This direct input approach may fulfill TA427’s intelligence requirements while the correspondence insights improve future targeting and connection building for additional engagement.

The goal appears to be augmenting North Korean intelligence to inform negotiation strategies.

Timeline of real-world events based on international press reporting (Source – ProofPoint)

Their lures include invitations to events on North Korean affairs, inviting perspectives on deterrence policies, nuclear programs, and possible conflicts.

It involves moving conversations between email addresses, such as those of individuals being targeted and their workplaces.

TA427 masks itself in a number of ways as think tanks, non-governmental organizations (NGOs), media outlets, educational institutions, and governmental bodies utilize DMARC abuse, typosquatting, and free email spoofing for legitimization

Timeline of real-world events based on international press reporting (Source – ProofPoint)

A different tactic from early February 2024 performs reconnaissance over the victim’s active email as well as the recipient environment through web beacons. 

One of the most frequently seen actors tracked by Proofpoint is TA427 which constantly adapts its modus operandi, infrastructure elements or even avatars to tactically target experts to steal information or gain initial access for intelligence purposes rather than profit maximization.

IoCs

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Highly Obfuscated .NET sectopRAT Mimic as Chrome Extension

SectopRAT, also known as Arechclient2, is a sophisticated Remote Access Trojan (RAT) developed using...

Threat Actors Trojanize Popular Games to Evade Security and Infect Systems

A sophisticated malware campaign was launched by cybercriminals, targeting users through trojanized versions of...

New Research Aims to Strengthen MITRE ATT&CK for Evolving Cyber Threats

A recent study by researchers from the National University of Singapore and NCS Cyber...

New LLM Vulnerability Exposes AI Models Like ChatGPT to Exploitation

A significant vulnerability has been identified in large language models (LLMs) such as ChatGPT,...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Fake Timesheet Report Emails Linked to Tycoon 2FA Phishing Kit

Cybersecurity researchers have uncovered a novel phishing campaign distributing the notorious Tycoon 2FA phishing...

Astaroth 2FA Phishing Kit Targets Gmail, Yahoo, Office 365, and Third-Party Logins

A new phishing kit named Astaroth has emerged as a significant threat in the...

Device Code Phishing Attack Exploits Authentication Flow to Hijack Tokens

A sophisticated phishing campaign leveraging the device code authentication flow has been identified by...