A North Korean nation-state group known for its crypto heists has been blamed for a new wave of malicious email attacks in a ‘sprawling’ credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy.
The state-aligned threat actor is tracked by Proofpoint as TA444and by the wider cybersecurity community like APT38, BlueNoroff, Copernicium and Stardust Chollima.
TA444 “uses a wider variety of delivery methods and payloads alongside blockchain-related decoys, fake job opportunities at high-profile companies, and salary adjustments to trick victims,” the security firm said. company in a report shared with The Hacker News.
The Advanced Persistent Threat is something of an aberration among state-sponsored groups in that its operations are financially motivated and geared towards generating illicit revenue for the Hermit Kingdom, as opposed to spying and stealing data.
To this end, the attacks use phishing emails, usually tailored to the interests of the victim, which are loaded with attachments containing malware such as LNK files and ISO optical disc images to trigger the chain of attacks. infection.
Other tactics include using fake and compromised LinkedIn accounts belonging to legitimate business executives to approach and interact with targets before providing booby-trapped links.
However, more recent campaigns in early December 2022 witnessed a “significant deviation”, in which phishing messages tricked recipients into clicking on a URL redirected to a credential collection page.
The email explosion, which abused email marketing tools like SendGrid to distribute the phishing links, targeted multiple verticals in addition to the financial sector, including education, government and healthcare in the United States and Canada.
Aside from experimentation, TA444 has also been observed extending the functionality of CageyChameleon (aka CabbageRAT) to further facilitate victim profiling, while maintaining a large arsenal of post-exploitation tools to aid theft. .
It’s not immediately clear what prompted TA444 to diversify its repertoire of attacks, though one suspects it could be a black-and-white effort undertaken to pivot beyond its traditional targets. Alternatively, Proofpoint suggests the possibility of another threat actor hijacking TA444’s infrastructure.
“In 2022, TA444 took its focus on cryptocurrencies to a new level and began to emulate the cybercrime ecosystem by testing a variety of infection chains to help expand its revenue streams,” said the society.
The findings come as the US Federal Bureau of Investigation (FBI) accused the BlueNoroff actors of stealing $100 million in cryptocurrency from Harmony Horizon Bridge in June 2022.
“With a startup mindset and a passion for cryptocurrency, TA444 is spearheading North Korean cash flow generation for the regime by bringing in washable funds,” said Proofpoint’s Greg Lesnewich. “This threat actor is quick to imagine new methods of attack while embracing social media as part of their [modus operandi].”
The group “remains committed to its efforts to use cryptocurrency as a means of providing usable funds to the regime,” Lesnewich added.