Security and Communication Networks

Research Article

Focusing on the Weakest Link: A Similarity Analysis on Phishing Campaigns Based on the ATT&CK Matrix

Table 4

Campaigns of the Kimsuky and Lazarus group.
APT groupCampaignCampaign description
KimsukyK1A phishing campaign targeting ROK defense officials from January to June 2019. Distributes document files of various file extension types and utilizes the method of distributing backdoors through HTA files (known as babyshark).
K2A phishing campaign targeting ROK politicians from August 2019 to March 2020. Distributes malicious files through vba macro, and most of the C2 servers are developed with wordpress platform (presumed to be a babyshark variant).
K3A phishing campaign targeting ROK Ministry of National Defense officials from October 2019 to August 2020. Drops JS backdoor and self-deleting bat file using Wscript (known as appleseed).
K4A phishing campaign targeting academia and infrastructure such as professors and hospitals that occurred from January to August of 2021. Utilizes Wscript and drops backdoor DLL disguised as antivirus program (appleseed variant).
K5A phishing campaign circulated to the Ministry of Unification of the Republic of Korea and North Korean human rights activists from December 2019 to September 2020. Loads Powershell script through Word document macro and drops additional malware with a specific extension such as .down is downloaded (known as flowerpower).
K6A phishing campaign distributed from February 2020 to May 2021 with contents such as financial transactions and corporate management to general corporations.
Lazarus GroupL1A phishing campaign circulated to cryptocurrency investors and cryptocurrency exchange officials from June 2018 to January 2020. Distributes malware disguised as a trading program by creating an exchange page that does not exist.
L2A phishing campaign targeting US companies and government agencies from June 2018 to November 2019. Made of fake SSL communication and the mida packing and executes malicious behavior by option (known as hoplight).
L3A phishing campaign using BMP images from June 2018 to November 2019.
L4A phishing campaign for job seekers from June 2018 to August 2019. Downloads additional information stealing malicious code through shellcode by executing eps script when document macro in Word is allowed (known as Operation DreamJob).
L5Phishing campaigns conducted from June 2018 to August 2019 targeting coronavirus vaccine companies and infrastructure such as nuclear power plants. Utilize C2 server consisting of Wordpress to decode shellcode and download additional malware via base64 (variant of Operation DreamJob).