Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified

Hunt researchers recently uncovered evidence of a suspected North Korean-linked phishing campaign targeting Naver, a major South Korean tech platform. The initial discovery involved an open directory containing phishing pages crafted to steal Naver users' login credentials.

Separately, an unrelated infrastructure cluster was found using domains and certificates that impersonated Apple. Both findings align with tactics commonly linked to cyber operations by Democratic People's Republic of Korea (DPRK) actors. 

Details of the Phishing Server

During a routine hunt for malicious infrastructure in AttackCapture™, our team identified an exposed directory at https://158.247.238[.]155/naver, hosted on The Constant Company ASN and located in Seoul. The server's file path, geographical location, and open directory prompted a deeper examination.

A closer look at the IP revealed that the server hosts more than 200 domains-a detail that will be covered later. Notably, HTTP services on ports 80 and 443 run Apache 2.4.62 (Debian).

Further investigation revealed that port 80 redirects visitors to the legitimate Naver website, suggesting an attempt to deceive users by leading to what appears to be authentic content.

Phishing Campaign Targeting Naver Users

The naver directory contains three folders-change, cookie, and login. Each folder aligns with typical patterns seen in credential-stealing campaigns and with actors like Kimsuky, who routinely leave their phishing servers exposed.

Multiple IP addresses, consisting of VPN endpoints, visitors accessing the directory, and potential victims, were found within the cookie and login directories. The IP logs suggest the threat actor actively tracks incoming connections, potentially monitors for researchers, or identifies future targets. 

A breakdown of the folder contents is as follows:

• The login folder contains three files: index_login.php, recon.htm, and rtnurl.

• Cookie includes two files: index_c.php and recon.htm.

• Finally, change holds index_ch.php and recon.htm.

Each file contributes to the overall phishing operation, serving a specific function. The following section will explore how these pages are designed to deceive users and extract credentials.

Technical Analysis of Phishing Pages

An examination of the PHP files found that the scripts currently return blank pages, suggesting they might be placeholders or have a purpose not directly tied to visible user interaction. Their specific role remains uncertain at this time.

Of greater interest is the file recon.htm, which mimics a Naver "My Info" password change page. Above the username and password fields is a message (in Korean) that translates to:

Deleting Cookies
You'll need to verify your identity to block suspicious devices.

This text is likely designed to instill a sense of urgency and encourage potential users to provide their credentials. 

The page, however, appears incomplete. The username field does not function, and submitting a password yields no response, indicating that information exfiltration may still be in development. 

The rtnurl file is a plain text document that displays a single URL when viewed in a browser: https://visitnhisserver[.]store/success.html. 

Upon navigating to the site, users are presented with a customized Naver page stating: "Your mail account has been converted from dormant to active" and advising them to "Check your security settings to make sure your account is protected."

An HTTP 302 redirect is then performed, opening a login page at: 

https://nid.naver.com/nidlogin.login?mode=form&url=https%3A%2F%2Fnid.naver.com%2Fuser2%2Fhelp%2FmyInfoV2%3Flang%3Dko_KR.

An interesting detail in the HTTP request is a different domain in the referer field: https://nextonlinecom[.]store/.

The use of .store top-level domains and the targeting of Naver closely align with methods often reported as linked to North Korean threat actors. Groups like Lazarus and Kimsuky have a documented history of focusing on South Korean entities, frequently using low-cost domains to host malicious infrastructure while attempting to maintain a legitimate appearance.

While the attribution isn't definitive, these indicators suggest a possible link to known North Korean threat actors.

Infrastructure Analysis: Domains and Certificates

According to Hunt telemetry, 231 domains resolve to the server at 158.247.238[.]155. Many use uncommon top-level domains besides .store, like .cfd and .info. The majority of the domains display a technical theme, incorporating terms such as "online," "server," "json," "mail," and "hosting."

One domain-www.fnsc-law[.]info-deviates from this pattern, indicating it may serve a different purpose from the others. 

Registration data shows that most domains were secured through registrars Namecheap and Namesilo. The primary nameservers include ns1, ns2, and ns3.dnsowl.com, as well as DNS1 and DNS2.REGISTRAR-SERVERS.COM.

Next, we'll examine the certificates associated with this IP.

Analysis of the SSL history in Hunt shows that the server administrators frequently updated or replaced TLS certificates issued by Let's Encrypt every few days.

Our scanners last observed the most recent certificate, with a SHA-256 hash of 35A101941F438A7D072B31EB3B666E2C31A070DD7CF8099D20B738778FBD3458, on October 25, 2024.

Threat actors frequently utilize Let's Encrypt to add legitimacy to malicious infrastructure while keeping costs low--a tactic also observed in DPRK-associated campaigns.

An independent research effort by the team uncovered a separate cluster of IPs distributed across multiple countries that share TLS certificates and domains spoofing Apple. The TLDs and use of Let's Encrypt certificates are consistent with the campaign mentioned above.

A researcher recently linked one of the IPs to Talos' UAT-5394, indicating connections to related threat activity.

Identification of Suspicious Apple-Themed Certificates

In late September, while analyzing new hostnames found in TLS certificates via Hunt's Threat Intelligence Feeds, the domain ulta.appleplus[.]store, hosted on 185.239.0[.]42, was seen as a common name for a certificate. This IP is part of the Web Dadeh Paydar Co (Ltd) ASN and is hosted in Iran.

The domain's clear attempt to mimic an Apple-related name prompted us to scrutinize the services and behavior of the server further. The certificate remains active as of this post's publication.

Further investigation into historical TLS records for this IP revealed a short-lived certificate with the common name appleplus[.]shop, which was hosted on port 8443 for a single day-September 13, 2024. 

Mirroring the activity in the previous section, both domains were registered using Namecheap; however, this set of domains used CloudFlare for their name servers, newt.ns.cloudflare.com and penny.ns.cloudflare.com.

A unique HTTP response was also observed on port 2052, which did not appear on the other ports associated with the certificate.

These two certificates were the starting point of our investigation. The domain ulta.appleplus[.]store is likely a typosquat targeting the word "ultra," intended to trick users browsing for legitimate Apple-related content.

Using the above as pivot points, we identified eight additional IP addresses sharing one or both of the above subject common names.

We will highlight a few of the more notable servers identified during this analysis, accompanied by a timeline and key findings to conclude the post.

A comprehensive table containing all discovered IPs and their relevant details is available at the end of this post.

107.189.16[.]65

We'll begin with the older of the two certificates, identified by its SHA-256 fingerprint 3201FA0F5D8269E556AEC50F820F17E1AE760CD86E5084BDCCDFE0AFF6430E06. This certificate was found on just two IP addresses: the previously analyzed server and 107.189.16[.]65, hosted by RouterHosting LLC in the U.S. As with the first IP, it was active for only a single day-September 18, 2024.

The threat actor appears to be rotating certificates between different IP addresses, suggesting an effort to change infrastructure frequently and potentially avoid straightforward detection.

This IP was recently discussed in an extensive thread by Researcher and X user @eastside_nci, who found connections to Talos' UAT-5394. 

We'd encourage readers to check out the posts for an in-depth analysis of this IP, the domains, and their potential connections to what Talos describes as a "state-sponsored North Korean threat actor." 

Network scan results for 107.189.16[.]65 revealed a similar pattern of numbered ports as 185.239.0[.]42 and HTTP/0.0 307 redirects on ports 2083, 2096, and 8443.

Similarly noted by @eastside_nci, we also identified an HTTP 302 redirect with a location header of https://mail.naver[.]com.

185.239.0[.]43

We didn't have to look far for the next IP in this cluster: 185.239.0[.]43 falls within the same ASN space as the server that initially caught our attention. Once again, we see the exact domains (appleplus[.]shop and ulta.appleplus[.]store) as .42 associated with TLS fields.

Interestingly, during February and March of this year, the domain applelplus1.hydadhybidad2[.]xyz was a common name for two certificates.

At this time, there is no information to confirm whether appleplus1.hydadhybidad2[.]xyz is directly linked to the current activity being analyzed.

The timeline below illustrates the overlaps in using certificates across different IP addresses. The dates shown are based on Hunt's scanning data, marking when each certificate was first and last observed.

The activity illustrated in the above figure spans from late June until Oct 26, 2024, with several notable discoveries:

• Iran-Based Servers: Several additional servers were identified in Iran, including 185.239.0[.]39, and 185.239.2[.]170. If this cluster is confirmed to be linked to a DPRK threat actor, it would represent a shift from previously observed hosting practices.

• More Appleplus CNs: Two more subject common names spoofing Apple were discovered: appleplus.dnbaletmigardam[.]top on 185.239.0[.]39, and appleplus[.]sbs, hosted on 206.206.125[.]237.

These findings indicate tactics and infrastructure choices consistent with DPRK threat actors, particularly the rotation of certificates across multiple IPs. This behavior highlights the importance of monitoring these shifting patterns closely to detect potential threats early and adapt defenses accordingly.

Conclusion

This research sheds light on two separate infrastructures exhibiting potential ties to DPRK threat actors, emphasizing the varied tactics often seen in North Korean malicious cyber operations. In both cases, the similarities in TLDs and the use of free certificate authorities point to likely broader malicious activities aimed at data theft and network compromise.

We'll continue to monitor this activity as it develops, and we encourage the community to use Hunt's tools to identify further indicators that could result in the attribution of this activity to a specific threat group.

Phishing Campaign Observables

Apple Domain Spoofing Observables