Tuesday, October 15, 2024
HomeCyber CrimeNorth Korean Hackers Abuse DMARC To Legitimize Their Emails

North Korean Hackers Abuse DMARC To Legitimize Their Emails

Published on

Malware protection

DMARC is targeted by hackers as this serves to act as a preventative measure against email spoofing and phishing attempts. 

They compromise DMARC (Domain-based Message Authentication Reporting and Conformance) so that they can evade email authentication protocols, consequently enabling them to mimic authentic senders and mislead recipients. 

This way they can put up more conceivable and advantageous phishing campaigns that lead to either making money or stealing data.

- Advertisement - SIEM as a Service

Cybersecurity researchers at ProofPoint recently discovered that North Korean hackers are actively abusing the DMARC to legitimize their illicit emails.

DMARC Abuse

Proofpoint tracks the North Korean state-aligned group TA427 (aka Emerald Sleet, APT43, THALLIUM, Kimsuky), which conducts phishing campaigns targeting experts on U.S. and South Korean foreign policy for the Reconnaissance General Bureau. 

Since 2023, TA427 has directly solicited opinions from foreign policy experts on nuclear disarmament, U.S.-ROK policies, and sanctions via innocent conversation-starting emails.

Free Live Webinarfor DIFR/SOC Teams: Securing the Top 3 SME Cyber Attack Vectors - Register Here.

Researchers observed a steady and sometimes increasing stream of this activity.

While TA427 consistently relies on social engineering and rotating email infrastructure, in December 2023, it began abusing lax DMARC policies for persona spoofing and incorporated web beacons for target profiling in February 2024.

Volume of TA427 phishing campaigns (Source – ProofPoint)

TA427 is a skilled social engineering threat actor likely supporting North Korean strategic intelligence collection on U.S. and South Korean foreign policy initiatives. 

By engaging targets over extended periods through rotating aliases and innocent conversations, TA427 builds rapport to solicit opinions and analysis, especially around foreign policy negotiation tactics. 

Leveraging customized, timely lure content and spoofing familiar DPRK researchers, TA427 requests targets share thoughts via email, papers, or articles rather than directly delivering malware or credential harvesting. 

This direct input approach may fulfill TA427’s intelligence requirements while the correspondence insights improve future targeting and connection building for additional engagement.

The goal appears to be augmenting North Korean intelligence to inform negotiation strategies.

Timeline of real-world events based on international press reporting (Source – ProofPoint)

Their lures include invitations to events on North Korean affairs, inviting perspectives on deterrence policies, nuclear programs, and possible conflicts.

It involves moving conversations between email addresses, such as those of individuals being targeted and their workplaces.

TA427 masks itself in a number of ways as think tanks, non-governmental organizations (NGOs), media outlets, educational institutions, and governmental bodies utilize DMARC abuse, typosquatting, and free email spoofing for legitimization

Timeline of real-world events based on international press reporting (Source – ProofPoint)

A different tactic from early February 2024 performs reconnaissance over the victim’s active email as well as the recipient environment through web beacons. 

One of the most frequently seen actors tracked by Proofpoint is TA427 which constantly adapts its modus operandi, infrastructure elements or even avatars to tactically target experts to steal information or gain initial access for intelligence purposes rather than profit maximization.

IoCs

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Dark Angels Ransomware Attacking Windows And Linux/ESXi Systems

The sophisticated ransomware group Dark Angels, active since 2022, targets large companies for substantial...

North Korean Hackers Attempted To Steal Sensitive Military Data

Diehl Defence anti-aircraft missiles from Baden-Württemberg are successfully intercepting Russian attacks on Kyiv, according...

Hackers Abuse HTML Smuggling Technique To Deliver Sophisticated Phishing Page

Phishing attackers employed an HTML smuggling technique to deliver a malicious payload, as the...