DPRK large-scalely kidnaps accounting data of foreign state services

North Korean national-state group, notorious by their crypto robes, a new wave of malicious attacks by e-mail was assigned.

The TA444 group (also known by APT38, Bluenoroff, Copernicium and Stardust Chollima names) uses a wide range of malware delivery methods. In their arsenal: bait related to blockchain, fake opportunities for employment in prestigious firms, quick earnings, etc.

TA444 attacks also often use phishing emails adapted to the interests of the victim. In them, as usual, are harmless at first glance files -logs .LNK or images of optical disks .ISO, and in fact – a disguised malicious software.

Among other TA444 tactics – the use of compromised LinkedIn accounts belonging to the legal leaders of the companies to establish contact and interaction with the goals for the distribution of links -traps.

In later campaigns of the group, in December last year, the attack vector has changed a lot. TA444 was engaged in the distribution of phishing messages that encourage recipients to switch to the URL address, which redirected them to the accounting page (method “Crediential Harvesting”).

December malicious mailings were primarily affected by state institutions of the United States and Canada. Apparently, in the future, TA444 plans to use the received data for a new wave of attacks.

North Korea is increasingly involved in one or another cybercrime associated with cryptocurrency and attacks on state structures of different countries. Recall that in June last year the FBI accused North Korean groups Lazarus and Bluenoroff (they are TA444) of the theft of $ 100 million in cryptocurrency from Harmony Horizon Bridge. And in October, international investigators expressed their concern that the cryptocurrency abducted by hackers from the DPRK goes to finance nuclear weapons.

Greg Lesnevich from Proofpoint said: “Thanks to the mentality of startups and passions for the TA444 cryptocurrency, it leads the generation of the cash flows of North Korea, attracting funds that can be laundered.” “These attackers quickly come up with new attack methods using social networks as part of their image of action,” Lesnevich added.

/Media reports cited above.