Jan 25, 2023Ravie LakshmananCryptocurrency / Malware
A North Korean nation-state group notorious for crypto heists has been attributed to a new wave of malicious email attacks as part of a “sprawling” credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy.
The state-aligned threat actor is being tracked by Proofpoint under the name TA444, and by the larger cybersecurity community as APT38, BlueNoroff, Copernicium, and Stardust Chollima.
TA444 is “utilizing a wider variety of delivery methods and payloads alongside blockchain-related lures, fake job opportunities at prestigious firms, and salary adjustments to ensnare victims,” the enterprise security firm said in a report shared with The Hacker News.
The advanced persistent threat is something of an aberration among state-sponsored groups in that its operations are financially motivated and geared towards generating illicit revenue for the Hermit Kingdom.
To that end, the attacks employ phishing emails, typically tailored to the victim’s interests, that are laden with malware-laced attachments such as LNK files and ISO optical disk images to trigger the infection chain.
More recent campaigns in early December 2022, however, have witnessed a “significant deviation,” wherein the phishing messages prompted the recipients to click on a URL that redirected to a credential harvesting page.
The email blast targeted several verticals besides the financial sector, including education, government, and healthcare,