Prediction of future attack indicators based on the 2024 analysis of threats from malicious app distribution sites in South Korea

Friday 26 September 09:30 - 10:00, Red room

Kyung Rae Noh (Korea Internet & Security Agency), Shinho Lee (Gachon University), Eui-Tak Kim (Gachon University), Yujin Shim (Korea Internet & Security Agency), Jonghwa Han (Korea Internet & Security Agency) & Jung-Sik Cho (Korea Internet & Security Agency)

In response to the rapidly increasing cyber threat landscape, the early detection of attack indicators and timely identification of attackers' objectives and targets have become increasingly critical. The Korea Internet & Security Agency (KISA) previously faced limitations with individually operated threat detection systems, including difficulties in correlating collected data for in-depth threat analysis and significant dependency on specialized personnel. To overcome these limitations, KISA's Digital Incident Detection Team initiated the Cyber Spider project in 2022. This system integrates normalized data collected from various detection systems into a centralized Data Lake, enabling automated correlation analyses to proactively detect and respond to emerging cyber threats.

This paper presents an analysis of malicious URL patterns associated with smishing attacks, based on data mining and tracking of 10,358,700 smishing-related data points (including SMS message contents, phishing URLs, and malicious app distribution URLs) collected by Cyber Spider in 2024. Analysis of main domains revealed that a substantial proportion were generated by Domain Generation Algorithms (DGAs), particularly combined with typosquatting techniques targeting legitimate domains belonging to financial institutions or public sector organizations to exploit user trust. We define this hybrid attack method as Registered Typosquatting Domain Generation Algorithms (RT-DGAs).

RT-DGA-generated domains accounted for approximately 34.9% of all smishing-related data collected in 2024 and consistently exhibited identifiable patterns and regularities in their subdomain and path structures. Additionally, we observed a notable tendency among attackers to concentrate domain registrations on specific Top-Level Domains (TLDs), indicating a deliberate strategy to evade detection through systematically generating and registering modified versions of legitimate domain keywords.

Our analysis of 214 Name Servers (NS) hosting these malicious domains revealed that 87.45% were heavily concentrated within one particular Internet Service Provider (ISP), highlighting a critical point for targeted mitigation strategies. Unlike traditional randomly generated DGAs, RT-DGAs create human-readable domain names that attackers actively register and leverage to distribute malicious content. These characteristics significantly complicate detection by conventional DGA detection models and further increase the likelihood of evading traditional blacklist-based detection and mitigation systems.

Finally, this paper classifies recent smishing attacks in South Korea by social engineering impersonation types – including financial institutions, public sector organizations, funeral notices, wedding invitations, and parcel delivery notifications – and provides detailed insights and temporal trends into malicious app distribution domains associated with each attack type. Additionally, correlation analyses based on collected NS information, ISP affiliations, subdomain structures, and path patterns have identified commonly utilized NS URLs for each phishing category. We propose a preventive strategy leveraging daily NS domain records collected by Cyber Spider, applying predefined subdomain and path pattern combinations to proactively block future phishing attacks and establish reliable predictive indicators for enhanced cybersecurity.

 


Kyung-Rae-Noh.jpg

Kyung Rae Noh

Kyung Rae Noh received his Master's degree in big data from Sungkyunkwan University and currently works as a cybersecurity analyst on the Digital Incident Detection Team at the Korea Internet & Security Agency (KISA, KrCERT/CC). He has been instrumental in developing and operating detection systems designed to uncover and mitigate hidden malicious activities (malware distribution, phishing, and web defacements) embedded within South Korea's websites, significantly contributing to preventing the spread of web-based cyber threats nationwide. His current research focuses on analysing phishing, smishing, and malicious-app distribution domains collected through the Cyber Spider project, aiming to predict and detect malicious domains proactively.

 

Shin-Ho-Lee.jpg

Shinho Lee

Shinho Lee is a Ph.D. student in the Department of Information Security at Gachon University. Over the past ten years, he has conducted research related to information security, such as attack group tracking, malware-related group analysis, malware similarity research, and network traffic packet analysis. Currently, he is interested in the prediction and detection of malicious attacks.

 

 

Eui-Tak-Kim.jpg

Eui-Tak Kim

Professor Eui-Tak Kim received his Ph.D. in computer engineering from Chungbuk National University in South Korea, with a dissertation on the development of an efficient anti-virus system in cloud environments. He served as the Head of Research at two of South Korea's three major computer antivirus companies: Hauri Inc. and ESTsecurity Corp. During his tenure, he contributed to the advancement of endpoint cybersecurity in Korea by leading the development of technologies such as malware detection, anti-virus systems, threat intelligence platforms, and secure operating systems. Currently, his research focuses on utilizing artificial intelligence and various cybersecurity technologies to detect malware and hidden malicious websites on the web.

 

Yu-Jin-Shim.jpg

Yujin Shim

Yujin Shim has a Master's degree in network security from Hanyang University in South Korea. He joined KISA (Korea Internet & Security Agency) in 2016 and has been working as a researcher since then. He has experience in developing various malware detection systems and is currently responsible for the development and operation of the Cyber Spider project.

 

 

Jong-Hwa-Han.jpg

Jonghwa Han

Jonghwa Han is a researcher at the Korea Internet & Security Agency (KISA). At KrCERT/CC, he has contributed to cyber incident detection and response, including the design, development, and operation of Cyber-Spider's data lake, analytics platform, and large-scale honeynet systems. He has also conducted analysis of diverse incident datasets and CVE vulnerabilities. He is currently with KRNIC, the National Internet Registry (NIR) of Korea, where he is involved in planning and executing initiatives to ensure the security of Internet address resources.

 

Junk-Sik-Cho.jpg

Jung-Sik Cho

Jung-Sik Cho received a Ph.D. in information security engineering from Chung-Ang University in Korea and currently serves as the Head of the Digital Incident Detection Team at KrCERT/CC, Korea Internet & Security Agency (KISA), and is leading various projects aimed at detecting and responding to cyber attacks.

Back to VB2025 Programme page

Back to VB2025 conference page

Other VB2025 papers

Silent killers: unmasking a large-scale legacy driver exploitation campaign

VB2025 presentation: Silent killers: unmasking a large-scale legacy driver exploitation campaign, Jiří Vinopal

Everyday tools, extraordinary crimes: the ransomware exfiltration playbook

VB2025 presentation: Everyday tools, extraordinary crimes: the ransomware exfiltration playbook, María José Erquiaga, Darin Smith, Robert Harris, Raymond McCormick & Josh Pyorre

Practical AWS antiforensics

VB2025 presentation: Practical AWS antiforensics, Santiago Abastante

The Wolf of Wall Steal: inside crypto traffer group operations

VB2025 presentation: The Wolf of Wall Steal: inside crypto traffer group operations, Anna Pham & Joan Garcia

Demystifying the Playboy RaaS

VB2025 presentation: Demystifying the Playboy RaaS, Gijs Rijnders

Evading in plain sight: how adversaries beat user-mode protection engines for over a decade

VB2025 presentation: Evading in plain sight: how adversaries beat user-mode protection engines for over a decade, Omri Misgav

From Latin America to the world: ransomware TTPs, prolonged intrusions, and regional adaptation

VB2025 presentaiton: From Latin America to the world: ransomware TTPs, prolonged intrusions, and regional adaptation, Isabel Manjarrez

Tracking the IoT botnet's bloodline: code footprints don’t lie

VB2025 presentation: Tracking the IoT botnet's bloodline: code footprints don’t lie, Chanbin Jeon, ChangGyun Kim & SeungBeom Lim

Invisible thieves in the front yard -- from an advanced evasive edge-device attack to potential mitigation methods

VB2025 presentation: Invisible thieves in the front yard -- from an advanced evasive edge-device attack to potential mitigation methods, Ting-Wei Hsieh

Google Calendar as C2 infrastructure: a China-nexus campaign with stealthy tactics

VB2025 presentation: Google Calendar as C2 infrastructure: a China-nexus campaign with stealthy tactics, Tim Chen & Still Hsu

Goodbye loaders, hello RMM: the rise of legit software in ecrime campaigns

VB2025 presentation: Goodbye loaders, hello RMM: the rise of legit software in ecrime campaigns, Selena Larson & Ole Villadsen

Silent Lynx: uncovering a cyber espionage campaign in Central Asia

VB2025 presentation: Silent Lynx: uncovering a cyber espionage campaign in Central Asia, Subhajeet Singha & Sathwik Ram Prakki

The dark prescription: inside the infrastructure of illegal online pharmacies

VB2025 presentation: The dark prescription: inside the infrastructure of illegal online pharmacies, Martin Chlumecky & Lubos Bever

Panel: Tales from the Old West

VB2025 presentation: Panel: Tales from the Old West, Righard Zwienenberg, Jan Hruska, Pavel Baudis & Tjark Auerbach

Unmasking the GrassCall campaign: the hackers behind job recruitment cyber scams

VB2025 presentation: Unmasking the GrassCall campaign: the hackers behind job recruitment cyber scams, Dixit Panchal & Soumen Burma

Cracked by the GRU: how Russia’s notorious Sandworm unit weaponizes pirated software usage to target Ukraine

VB2025 presentation: Cracked by the GRU: how Russia’s notorious Sandworm unit weaponizes pirated software usage to target Ukraine, Arda Büyükkaya

Hunting potential C2 commands in Android malware via Smali string comparison and control flow analysis

VB2025 presentation: Hunting potential C2 commands in Android malware via Smali string comparison and control flow analysis, JunWei Song

Vo1d rising: inside the botnet controlling 1.68 M+ Android TVs worldwide

VB2025 presentation: Vo1d rising: inside the botnet controlling 1.68 M+ Android TVs worldwide, Alex Turing

Arachnid alert: Latrodectus loader crawls through defences

VB2025 presentation: Arachnid alert: Latrodectus loader crawls through defences, Albert Zsigovits

When avatars come alive: understanding hybrid threat actors

VB2025 presentation: When avatars come alive: understanding hybrid threat actors, Itay Cohen & Omer Benjakob

Inside Akira ransomware's Rust experiment

VB2025 presentation: Inside Akira ransomware's Rust experiment, Ben Herzog

Rogue hirer, rogue hiree: workplace cyber threats to individuals and businesses

VB2025 presentation: Rogue hirer, rogue hiree: workplace cyber threats to individuals and businesses, Chris Boyd

You definitely don’t want to CopyPaste this: FakeCaptcha ecosystem

VB2025 presentation: You definitely don’t want to CopyPaste this: FakeCaptcha ecosystem, Dmitrij Lenz & Roberto Dasilva

The Phantom Circuit: the Lazarus Group’s evolution in supply chain compromise

VB2025 presentation: The Phantom Circuit: the Lazarus Group’s evolution in supply chain compromise, Ryan Sherstobitoff

From p0f to JA4+: modern network fingerprinting for real-world defence

VB2025 paper: From p0f to JA4+: modern network fingerprinting for real-world defence, Vlad Iliushin

DeceptiveDevelopment and North Korean IT workers: from primitive crypto theft to sophisticated AI-based deception

VB2025 presentation: DeceptiveDevelopment and North Korean IT workers: from primitive crypto theft to sophisticated AI-based deception, Matej Havranek

Deep dive into the abuse of DL APIs to create malicious AI models and how to detect them

VB2025 presentation: Deep dive into the abuse of DL APIs to create malicious AI models and how to detect them, Mohamed Nabeel & Alex Starov

Vietnamese hacking group: a rising of information stealing campaigns going global

VB2025 presentation: Vietnamese hacking group: a rising of information stealing campaigns going global, Chetan Raghuprasad & Joey Chen

Stealth over TLS: the emergence of ECH-based C&C in ECHidna malware

VB2025 presentation: Stealth over TLS: the emergence of ECH-based C&C in ECHidna malware, Yuta Sawabe & Rintaro Koike

Prediction of future attack indicators based on the 2024 analysis of threats from malicious app distribution sites in South Korea

VB2025 presentation: Prediction of future attack indicators based on the 2024 analysis of threats from malicious app distribution sites in South Korea, Kyung Rae Noh, Shinho Lee, Eui-Tak Kim, Yujin Shim, Jonghwa Han & Jung-Sik Cho

Unmasking the unseen: a deep dive into modern Linux rootkits and their detection

VB2025 presentation: Unmasking the unseen: a deep dive into modern Linux rootkits and their detection, Ruben Groenewoud & Remco Sprooten

Boosting URL detection with syntactic features in spam emails

VB2025 presentation: Boosting URL detection with syntactic features in spam emails, Antonia Scherz

Dissecting evil twin RATs: tracking the long-term use of TA410's FlowCloud toolset

VB2025 presentation: Dissecting evil twin RATs: tracking the long-term use of TA410's FlowCloud toolset, Hiroshi Takeuchi

Unmasking TAG-124: dissecting a prevalent traffic distribution system in the cybercriminal ecosystem

VB2025 presentation: Unmasking TAG-124: dissecting a prevalent traffic distribution system in the cybercriminal ecosystem, Julian-Ferdinand Vögele

The Bitter end: unravelling 8 years of APT antics

VB2025 presentation: The Bitter end: unravelling 8 years of APT antics, Abdallah Elshinbary, Nick Attfield, Konstantin Klinger & Jonas Wagner

Grandoreiro: sounds like a Clint Eastwood movie but it's not

VB2025 presentation: Grandoreiro: sounds like a Clint Eastwood movie but it's not, Thibault Seret

The attribution story of WhisperGate: an academic perspective

VB2025 presentation: The attribution story of WhisperGate: an academic perspective, Alexander Adamov

Emmenhtal Loader: the silent enabler of modern malware campaigns

VB2025 presentation: Emmenhtal Loader: the silent enabler of modern malware campaigns, Lovely Antonio, Ricardo Pineda & Louis Sorita

Sophistication or missed opportunity? Analysing XE Group’s long-term exploitation of zero-days with limited impact

VB2025 presentation: Sophistication or missed opportunity? Analysing XE Group’s long-term exploitation of zero-days with limited impact, Justin Lentz & Nicole Fishbein

Attacker identity revealed: insights from rogue VMs & BYOVD in EDR evasion

VB2025 presentation: Attacker identity revealed: insights from rogue VMs & BYOVD in EDR evasion, Navin Thomas, Renzon Cruz & Cuong Dinh

Living in the hypervisor: defeating anti-[VM, sandbox, analysis] via patching hypervisor

VB2025 presentation: Living in the hypervisor: defeating anti-[VM, sandbox, analysis] via patching hypervisor, Kağan Işıldak

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.