Microsoft helps shutter domains run by North Korean cybergang Thallium
A U.S. district
court issued an order enabling Microsoft to take over 50 domains used by a North
Korea-based cybercrime gang to conduct spear phishing campaigns.
Microsoft’s
Digital Crimes Unit and the Microsoft Threat Intelligence Center took down the
domains controlled by a group it named Thallium after researching the malicious
actors activity and filing a report with the U.S. District Court for the
Eastern District of Virginia, said Tom Burt, Microsoft’s corporate vice president,
customer Security and trust.
The court documents were unsealed on December 27 and detailed Microsoft’s work deciphering how Thallium, which is believed to be North Korean, operated its campaigns. The group, according to Burt’s report, did extensive online research to develop the information needed to properly socially engineer the spear phishing emails. Targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues. Most of the targets were based in the U.S., as well as Japan and South Korea.
A phishing
email would generally contain a message requesting the individual click on an
embedded link in order to correct an issue. Once the link is clicked the victim
is taken to a fraudulent site and asked to supply their login credentials at
which point Thallium has the ability to take over the account.
“Upon
successful compromise of a victim account, Thallium can review emails, contact
lists, calendar appointments and anything else of interest in the compromised
account. Thallium often also creates a new mail forwarding rule in the victim’s
account settings. This mail forwarding rule will forward all new emails
received by the victim to Thallium-controlled accounts. By using forwarding
rules, Thallium can continue to see email received by the victim, even after
the victim’s account password is updated,” Burt said.
Thallium
also used this access to plant the persistent, information-stealing malware BabyShark
or KimJongRAT.
Published at Thu, 02 Jan 2020 21:53:52 +0000
