North Korean Hackers Abuse DMARC to Legitimize Their Emails

North Korean threat actor TA427 has been launching email phishing campaigns targeting foreign policy experts in the US and South Korea.

Since 2023, they’ve used social engineering tactics and impersonation in emails to initiate conversations about nuclear disarmament and foreign policy. 

To bypass detection, TA427 started abusing DMARC policies in December 2023 to spoof legitimate email addresses and recently incorporated web beacons in February 2024 for profiling targets.  

TA427, a cyber actor likely affiliated with North Korea, uses social engineering to gather intelligence on US and South Korean foreign policy by targeting experts and engaging them in extended conversations over weeks or months, building trust with seemingly harmless topics. 

It tailors conversations to each victim’s interests and may impersonate familiar DPRK researchers to elicit information, while malware isn’t deployed immediately; instead, TA427 directly asks for the target’s insights via email or research papers. 

 An example of the TA427 campaign focused on US policy during an election year. 

The approach suggests gathering intelligence through conversation might be sufficient, while the knowledge gained is likely used to refine targeting and enable further interaction.  

A threat actor group, TA427, uses lure content to target individuals in the academic and think tank spaces by sending invitations to events about North Korean policies and asking questions related to nuclear weapons development. 

The topics are relevant to the target audience and help TA427 blend in and use multiple email threads, including personal and corporate emails, to bypass security controls and potentially deploy malware on corporate devices. 

Examples of TA427 cold outreaches to experts. 

It impersonates individuals from think tanks, NGOs, the media, academia, and government to gather information by pretending to be from well-known organizations such as the Stimson Center and the Atlantic Council.

To achieve impersonation, TA427 uses three methods: DMARC abutyposquatting, ting and private email account spoofing. 

Percent of campaigns using DMARC abuse, private email account spoofing, and typosquatting to masquerade as various personas from January 2023 through March 2024

Exploits weak DMARC policies to spoof email senders. DMARC uses SPF and DKIM for sender validation, but a permissive DMARC policy like “v=DMARC1; p=none; fo=1” bypasses security checks and ensures email delivery. 

TA427 abuses it by spoofing both the sender address and the reply-to address to further convince targets they are interacting with a legitimate entity and tools like Proofpoint’s DMARC record checker help identify vulnerable organizations lacking proper DMARC enforcement. 

Example of TA427 campaign using a web beacon. 

An advanced persistent threat actor has adopted a new tactic in February 2024: using web beacons in emails, which are embedded as invisible objects, to connect to a server controlled by the attackers when the email is opened. 

The initial reconnaissance helps TA427 validate active email targets and gather information about their network environments, such as IP addresses, user devices, and email open times. 

IOCs include engagement attempts from various organizations (Stimson Center, Wilson Center, etc.) regarding CBRNE (Chemical, Biological, Radiological, Nuclear, and Explosives) issues, invitations to conferences and discussions about North Korea, and essay requests on Korean topics. 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here