Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

North Korean APT Expands Its Attack Repertoire

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by other hackers.

North Korean hacking

The advanced persistent threat (APT) tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated (that is, has had its infrastructure abused by other hackers). 

TA444 is a North Korean state-sponsored threat group tracked by Proofpoint as actively targeting cryptocurrencies since at least 2017. It has overlaps with other DPRK groups such as APT38, Bluenoroff, BlackAlicanto, Stardust Chollima, and Copernicum – but not enough in Proofpoint’s telemetry to be specifically tied to any one of these.

For example, Mandiant has described activity known as CryptoCore and Dangerous Password as a “likely subgroup of APT38”. Proofpoint adds SnatchCrypto, and defines all three as campaigns operated by TA444. If both sets of researchers are correct, it may be that TA444 is a subgroup of APT38. Nevertheless, the overlapping nature of differently named DPRK groups makes it difficult to delineate them clearly, and many people still refer to the umbrella name of Lazarus.

In its first publicly available report on the TA444 group, Proofpoint notes that like other DPRK groups, it is likely tasked with stealing currency to offset sanctions against the state. Around 2017 it began to focus on stealing cryptocurrency. “TA444 had two main avenues of initial access,” notes the report: “an LNK-oriented delivery chain and a chain beginning with documents using remote templates.”

In 2022, however, while continuing to use these methods, it increased its usage of macros for malware delivery. Usually, when threat actors experiment with new delivery mechanisms, they continue to use their existing payloads. Not so with TA444 in 2022. “This suggests,” say the researchers, “that there is an embedded, or at least a devoted, malware development element alongside TA444 operators.”

In early December 2022, the researchers observed a new approach from TA444 – a relatively basic credential harvesting phishing campaign. A TA444 C2 domain began distributing OneDrive phishing emails “rife with typos” to targets in the US and Canada. The infrastructure used suggests it was TA444; the campaign suggests otherwise.

The researchers offer three possibilities: it could be TA444 simply expanding its repertoire; the group could be moonlighting from its primary purpose of sidestepping North Korea’s sanctions; or a different threat actor could have hijacked TA444’s infrastructure.

Whatever the reason, the phishing campaign in December nearly doubled the total volume of TA444 emails observed by Proofpoint for the whole of 2022. Emails were sent to Admin at the target domain. The From entry was “admin[@]sharedrive[.]ink – and the subject was ‘linvoice’ (that is, Invoice starting with a lowercase L rather than uppercase I).

Advertisement. Scroll to continue reading.
Graphical user interface

Description automatically generated
New style phishing email from TA444

The lure entices the target to click on a SendGrid URL, which redirects to the attackers’ credential harvesting page, which in turn uses common phishing tactics such as loading the victim’s iconography via the logo-rendering service ClearBit.

Proofpoint has ‘moderate to moderately high’ confidence that the campaign is operated by TA444, based on the exclusivity of TA444’s infrastructure. “The emails also had valid DMARC and SPF records, indicating that the sender has control of that domain,” add the researchers.

Related: FBI Confirms North Korean Hackers Behind $100M Horizon Bridge Heist

Related: Lazarus Group Targets South Korea via Supply Chain Attack

Related: North Korea APT Lazarus Targeting Chemical Sector

Related: North Korea’s Lazarus Targets Energy Firms With Three RATs

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.