The ASEC analysis team recently identified that multiple malicious domains targeting normal websites of the financial sector had been created.
From early November, we detected multiple distribution cases of phishing emails impersonating Naver Help. Through these, we had been monitoring the malicious URL that was included in these emails.
The sender’s username was ‘Naver Center’ and the emails had a variety of topics to deceive users, including notifications for changes to contact details, creation of a new one-time password, login from unfamiliar locations, full mail storage, and blocked access attempts.
Clicking the ‘Check phone number’ in the above image brings up a fake Naver login page and when account credentials are entered into this page, a typical phishing attack is initiated where the account credentials are forwarded to a page designated by the threat actor.
One thing to note here is that n-e.kr was used as the top-level domain as in the past, AhnLab had identified a domain with a similar format being used in the Kimsuky group’s C2.
[Top-level domains frequently used in Kimsuky-related attacks]
- n-e.kr
- p-e.kr
- r-e.kr
- o-r.kr
- kro.kr and more
We first identified the IP where the phishing domain used in the attack was being resolved and found that there were multiple other related domains linked to the same IP. (As of December 14th, 2022, only a portion of the domains in the following list are found to be live.)
# Resolving IP : 210.16.120[.]212 [Singapore]
- conf.simpleedit.n-e[.]kr
- foward.viewpropile.p-e[.]kr
- dashboard.quikveoriy.o-r[.]kr
- www1.quickedit.o-r[.]kr
- www2.configment.p-e[.]kr
- wvw3.secure-edit.n-e[.]kr
- wwv3.supports.o-r[.]kr
- wvw1.user2list.kro[.]kr and more
Among the top-level domains, n-e.kr / p-e.kr / o-r.kr / kro.kr are the most common.
The top-level domains were resolved using the same two IP addresses. A portion of the relevant domains collected through AhnLab’s infrastructure is as follows.
There are a lot more malicious domains aside from those listed below.
# Resolving IP : 139.99.89[.]153 [Singapore] / 172.104.112[.]214 [Japan]
Even now, some live domains still exist, and certain pages enabled the downloading of malicious APK files.
| IP | Country | Malicious Domain | Target (assumed) | Live Status (As of Dec 14, 2022) |
Remarks |
| 139.99.89[.]153 | Singapore | shinhanbank.kro[.]kr | Shinhan Bank | X | |
| smartshinhan.kro[.]kr | O | Downloads malicious APK | |||
| tos.p-e[.]kr | Toss | X | |||
| kbank.o-r[.]kr | K Bank | O | Downloads malicious APK | ||
| k-bank1.kro[.]kr | X | ||||
| kamco.kbloan.r-e[.]kr | KAMCO (Korea Asset Management Corporation) | O | Downloads malicious APK | ||
| kakaosaving.kro[.]kr | KakaoBank | O | Downloads malicious APK |
| 172.104.112[.]214 | Japan | naver.o-r[.]kr | Naver | O | Impersonates the Naver Home Page |
| naver.kro[.]kr | X | ||||
| naver65.n-e[.]kr | X | ||||
| digital.pepperbank.kro[.]kr | Pepper Savings Bank | O | Downloads malicious APK files | ||
| inglife.kro[.]kr | Orange Life (formerly ING Life) | O | |||
| nhlife.kro[.]kr | NH Life | O | |||
| kamco.kbloan.kro[.]kr | KAMCO (Korea Asset Management Corporation) | O | |||
| kamco.webs.kro[.]kr | X | ||||
| k-bank.o-r[.]kr | K Bank | X | |||
| k-bank1.kro[.]kr | X | ||||
| heungkukfire.p-e[.]kr | Heungkuk Fire & Marine | O |
The downloaded malicious APK files were all identified to be malicious apps used for voice phishing. Their resolutions were optimized for mobile devices, and connecting to them with a mobile device displays the following pages.
The above image shows the download pages of malicious apps disguised as those of K Bank/Shinhan Bank/Korea Asset Management Corporation (KAMCO)/KakaoBank/Pepper Bank from left to right, and clicking the ‘Download App’ or ‘Apply’ buttons on each page downloads the malicious app.
This malicious app masquerades as financial institutions and includes the feature where if a device with this app installed makes a call to a particular number, the outgoing call is hijacked and routed to a number designated by the threat actor. When the app is opened, it leads users to download and install an app disguised as the ‘V3 mobile plus’ app, which contains malicious features.
As users can be led to malicious URLs through such clever methods using phishing emails, users must refrain from opening emails or text messages from unknown sources.
AhnLab’s anti-malware product, V3, detects and blocks the domains below as phishing websites.
[IOC]
hxxp://conf.simpleedit.n-e[.]kr
hxxp://foward.viewpropile.p-e[.]kr
hxxp://dashboard.quikveoriy.o-r[.]kr
hxxp://www1.quickedit.o-r[.]kr
hxxp://www2.configment.p-e[.]kr
hxxp://wvw3.secure-edit.n-e[.]kr
hxxp://wwv3.supports.o-r[.]kr
hxxp://wvw1.user2list.kro[.]kr
hxxp://shinhanbank.kro[.]kr
hxxp://smartshinhan.kro[.]kr
hxxp://tos.p-e[.]kr
hxxp://kbank.o-r[.]kr
hxxp://k-bank1.kro[.]kr
hxxp://kamco.kbloan.r-e[.]kr
hxxp://kakaosaving.kro[.]kr
hxxp://naver.o-r[.]kr
hxxp://naver.kro[.]kr
hxxp://naver65.n-e[.]kr
hxxp://digital.pepperbank.kro[.]kr
hxxp://inglife.kro[.]kr
hxxp://nhlife.kro[.]kr
hxxp://kamco.kbloan.kro[.]kr
hxxp://kamco.webs.kro[.]kr
hxxp://k-bank.o-r[.]kr
hxxp://k-bank1.kro[.]kr
hxxp://heungkukfire.p-e[.]kr
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information
[…] Phishing Attacks Impersonating Famous Korean Banking Apps […]