More than 50 phishing websites currently under the control of the Thallium (also known as APT37) were taken over by Microsoft Security. The APT37 is a hacker organization from North Korea that uses various zero-day vulnerabilities to launch attacks or spread malware via a malicious email campaign. After accidentally clicking on the link in the phishing email, users may be infected, especially for attacks that exploit Flash Player vulnerabilities without user interaction.
After a long period of tracking and investigation, Microsoft clarified more than 50 domain names related to the Thallium organization, which are used to send emails and create phishing websites. Microsoft Security has detected multiple attacks in the Microsoft Office 365 family of products, which also happens to collect relevant domain names. On December 18, the Redmond-based company filed a lawsuit against the Thallium in Virginia, USA. US courts approved Microsoft’s request during the Christmas holidays to allow the takeover of these malicious domain names, and domain name registrars need to comply with court orders. At present, these domain names used for illegal purposes have been taken over by Microsoft’s security department.
For APT37 organization, the security industry has been tracking for a long time. Because the APT37 organization is relatively strong in terms of technical strength, more security companies have been involved in the investigation. The most common way for APT37 is to use zero-day vulnerabilities in operating systems or software to launch attacks, and Flash Player is the most used software. This player is installed on most computers and has a particularly large number of vulnerabilities, so APT37 uses its zero-day vulnerability to launch attacks that can be infected without user interaction. The target group of the APT37 is mainly targeted at government agencies in South Korea, Japan, Vietnam, and the Middle East or companies in the chemical, electronics, and aerospace industries. In terms of attack methods, the organization is also very good in social engineering and often uses various information collected in advance to fabricate targeted phishing emails.