North Korea-linked TA444 group turns to credential harvesting activity

North Korea-linked TA444 group is behind a credential harvesting campaign targeting a number of industry verticals.

Proofpoint researchers reported that North Korea-linked TA444 APT group (aka APT38, BlueNoroff, Copernicium, and Stardust Chollima) is behind a credential harvesting campaign targeting a number of industry verticals.

APT38 appears to be a North Korea-linked group separate from the infamous Lazarus group, it has been active since at least 2014 and it has been observed targeting over 16 organizations across 11 countries.

According to Proofpoint the group is targeting cryptocurrencies since at least 2017. The U.S. Federal Bureau of Investigation (FBI) this week confirmed that in June 2022 the North Korea-linked Lazarus APT group and APT38 stole $100 million worth of cryptocurrency assets from the Blockchain company Harmony Horizon Bridge.

The recent activity reported by Proofpoint marks a significant shift in the strategy of the nation-state actor.

“This sprawling credential harvesting activity is a deviation from normal TA444 campaigns, which typically involve the direct deployment of malware.” reads the report published by the researchers.

The attack chain historically employed by the group mainly relied on two initial access techniques, an LNK-oriented delivery chain and a chain using weaponized documents with remote templates.

TA444 employed blockchain-related lures, fake job opportunities at prestigious firms, and salary adjustments to trick victims to click on a malicious link, open a malicious attachment such as LNK files and ISO optical disk images 

To that end, the attacks employ phishing emails, typically tailored to the victim’s interests, that are laden with malware-laced attachments such as LNK files and ISO disk images.

Variants to the attack chain include the use of LinkedIn accounts to engage with victims prior to delivering malicious links.

According to the experts, the new credential harvesting campaign began in early December 2022. The threat actors used phishing messages to trick recipients into clicking a URL

“A TA444 C2 domain sent OneDrive phishing emails rife with typos to a wide variety of targets in the United States and Canada, spanning several verticals including education, government, and healthcare, in addition to financial verticals. The lure emails enticed users to click a SendGrid URL which redirected to a credential harvesting page.” continues the report. “The deviation in TA444’s targeting and volume of messages made us thoroughly analyze the campaign to both understand the activity, but also challenged our assumptions about the group.”

The TA444 group was also observed spreading an expanded version of CageyChameleon (aka CabbageRAT) to carry out victim-profiling and data exfiltration.

“TA444 and related clusters are assessed to have stolen nearly $400 million dollars’ worth of cryptocurrency and related assets in 2021. In 2022, the group surpassed that value in a single heist worth over $500 million, gathering more than $1 billion during 2022.” concludes the report. “While we do not know if the group has ping pong tables or kegs of some overrated IPA in its workspace, TA444 does mirror the startup culture in its devotion to the dollar and to the grind. “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, TA444)

[adrotate banner=”5″]

[adrotate banner=”13″]