Today, a new report from Proofpoint Inc. details a renewed state-sponsored North Korean threat actor that is actively targeting cryptocurrency holders and exchanges using new methodologies.
The group, called TA444, has been active since at least 2017 and focused on cryptocurrency in 2022. It overlaps with the public activities of APT38, Bluenoroff, BlackAlicanto, Stardust Chollima, and COPERNICIUM, and is believed to be tasked with transferring funds to North Korea or its overseas workers.
North Korean hacking groups are nothing new, but what makes TA444 interesting is that the group uses a wider variety of delivery methods and payloads than previously seen. The group also uses blockchain-related lures, fake job opportunities at reputable companies, and salary adjustments to trap victims.
When first noticed to be interested in blockchain and cryptocurrency, TA444 used two attack vectors for initial access: an LNK-based delivery chain and a chain that starts with documents that use remote templates. The campaigns were commonly called DangerousPassword, CryptoCore, or SnatchCrypto.
More recently, TA444 has continued to use both methods, but has diversified into other pre-entry methods. Despite not using them in previous campaigns, TA444 began using macros in the fall in an attempt to find additional file types to fill its payloads.
While jokingly suggesting that TA444 may have held a hackathon to develop new hacking ideas, the researchers also note that just as surprising as the difference in delivery methods is the lack of consistent payloads at the end of the delivery chains.
Traditionally, when financially oriented threat actors experiment with delivery methods, which TA444 appears to be doing, they usually provide consistent payloads. However, this is not the case with TA444, which uses different payloads, suggesting that it has an in-house or even a dedicated development team designing new forms of malware.
“With a startup mentality and a passion for cryptocurrency, TA444 is spearheading North Korea’s cash flow generation for the regime, bringing in launderable funds,” Greg Lesnevich, senior threat researcher at Proofpoint, told SiliconANGLE. “This threat actor is rapidly brainstorming new attack methods while embracing social media as part of their MO.”
Lesniewicz warns that TA444 has “taken its focus on cryptocurrencies to a new level and mimicked the cybercrime ecosystem, experimenting with various infection chains to help expand its revenue streams.”
Show your support for our mission by joining our Cube Club and our community of Cube Event experts. Join a community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many other stars and experts.