North Korean Hackers Go On Phishing Expedition Before Trump-Kim Summit (Feb 26, 2019)
Security researchers have discovered a phishing campaign that is attempting to capitalize on the summit in Hanoi, Vietnam between President Donald Trump and the Democratic People’s Republic’s (DPRK) Kim Jong Un. Researchers suspect that DPRK actors, specifically “Velvet Chollima,” are behind this campaign that appears, at the time of this writing, to be targeting South Korean individuals. The email purports to be an invitation from the “Korean-U.S. Friendship Society” to join a meeting hosted in Seoul, South Korea. The email contains an attachment formatted in the Hangul Word Processor (HWP) file format (.hwp). The objective of the malicious document is to execute PostScript on a machine that attempts to communicate with a Command and Control (C2) server for additional instructions.
Recommendation: This story represents potential threats and attacks that can arise based on current political geopolitical developments. Therefore, awareness of tension between countries and governments can potentially grant some insight as to where attacks may originate. All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file -hosting service like Box or Dropbox.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.