A torrent of spam unleashed last December in a bid to harvest the credentials of U.S. and Canadian financial workers was an attempt by a North Korean for-profit hacking group to diversify its revenue stream.
Researchers at Proofpoint say the group they track as TA444 that month nearly doubled the total volume of spam sent over the previous 11 months – evidence of a hacking group that mirrors “startup culture in its devotion to the dollar and to the grind.”
TA444 overlaps with other Pyongyang hacking groups known as APT38, Bluenoroff, BlackAlicanto, Stardust Chollima and Copernicium group.
North Korea is the rare country whose state-sponsored hackers attack for their country’s financial gain. As recently as Tuesday, the U.S. FBI attributed a $100 million theft from cryptocurrency bridge Horizon to North Korean hackers.
The United Nations in 2019 estimated that cryptocurrency and online bank heists have enabled Pyongyang to also invest $2 billion in its development of nuclear weapons and intercontinental ballistic missiles (see: North Korean Hacking Funds WMD Programs, UN Report Warns).
Proofpoint says it can’t rule out the possibility that TA444’s burst of activity is evidence of moonlighting. If that is the case, security researches should start to detect evidence of seeing tool and infrastructure re-use as well as “continued deviation of targeting away from major cryptocurrency and financial institutions.”
Greg Lesnewich, senior threat researcher at Proofpoint, said TA444 shows the ability to test products on the fly.
The threat actor uses phishing mails for initial access, usually sent with well-crafted lure content that includes analysis of cryptocurrency blockchains, job opportunities at prestigious firms and even salary adjustments.
The phishing emails deliver payloads available in two file formats – an obfuscated LNK file and a chain beginning with documents using remote templates. TA444 continues to use both methods but also now uses other file types like MSI Installer files, virtual hard drive, ISO to bypass Windows Mark of the Web, and compiled HTML.
The threat actor also uses social networking platforms like LinkedIn to engage with victims before delivering malicious links in a bid to improve its hit ratio. The actor has a demonstrated understanding of English, Spanish, Polish, and Japanese.
Stealing cryptocurrency is the primary motive of the threat actor, but security researchers also observed “an impressive set” of post-exploitation backdoors.
Researchers call TA444 a “capable adversary” since it stole nearly $400 million dollars’ worth of cryptocurrency and digital assets in 2021 and easily surpassed that value in a single heist closing the last year with more than $1 billion.