The Double Life of SectorA05 Nesting in Agora (Operation Kitty Phishing)
(Jan 30, 2019)
The threat group, “SectorA05,” has been observed conducting a phishing campaign against personnel of the South Korean government and cryptocurrency exchanges to install malware, according to researchers at Threat Recon. This campaign has been dubbed “Operation Kitty Phishing” and the phishing emails purport to be related to “the Unification Ministry of South Korea” and contains two .zip folders that contain an executable disguised as a Hangul Word Processor (HWP) file. The executable will execute two Remote Access Trojans (RATs) in the hopes at least one is not blocked by antivirus. Once one of the RATs is successfully downloaded, it will run reconnaissance on the machine, obtaining screen captures, keylog, and steal passwords. The goal of the infection appear to be to mine for cryptocurrency as well as steal information from the South Korean government.
Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management to assist in identifying potential malicious communications.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.