North Korean threat actor targets cryptocurrency with new methodologies

A brand new report from Proofpoint Inc. right now particulars a revamped state-sponsored North Korean menace actor that has been actively focusing on cryptocurrency holders and exchanges utilizing new methodologies.

Dubbed TA444, the group has been lively since at the least 2017 and in 2022 turned its consideration to cryptocurrency. It has overlaps with public exercise from teams that embrace APT38, Bluenoroff, BlackAlicanto, Stardust Chollima and COPERNICIUM, and it’s believed to be tasked with funneling funds to North Korea or its handlers overseas.

North Korean hacking teams aren’t new, however what makes TA444 fascinating is that the group makes use of a greater variety of supply strategies and payloads than beforehand seen. The group additionally makes use of blockchain-related lures, faux job alternatives at prestigious companies and wage changes to lure victims.

When first noticed taking an curiosity in blockchain and cryptocurrency, TA444 used two assault vectors for preliminary entry: an LNK-oriented supply chain and a sequence starting with paperwork utilizing distant templates. The campaigns had been usually known as DangerousPassword, CryptoCore or SnatchCrypto.

Extra not too long ago, TA444 has continued to make use of each strategies however has diversified into different strategies for preliminary entry. Regardless of not having used them in earlier campaigns, TA444 began utilizing macros within the fall, searching for further file sorts to stuff its payloads into.

Whereas jokingly suggesting that TA444 might have held a hackathon to develop new hacking concepts, the researchers additionally notice that as equally shocking because the variance in supply strategies is an absence of constant payload on the finish of supply chains.

Historically, when financially oriented menace actors check supply strategies, which is what TA444 seems to be doing, they often ship constant payloads. Nevertheless, this isn’t the case with TA444, which makes use of totally different payloads, suggesting that it has an embedded, or perhaps a devoted growth crew designing new types of malware.

“With a startup mentality and a ardour for cryptocurrency, TA444 spearheads North Korea’s cashflow era for the regime by bringing in launderable funds,” Greg Lesnewich, senior menace researcher at Proofpoint, informed SiliconANGLE. “This menace actor quickly ideates new assault strategies whereas embracing social media as a part of their MO.”

Lesnewich warns that TA444 has taken “its deal with cryptocurrencies to a brand new stage and has taken to mimicking the cybercrime ecosystem by testing a wide range of an infection chains to assist broaden its income streams.”

Picture: Needpix