Kaspersky: North Korean hackers mimic crypto VCs in new phishing scheme
Kaspersky, a cybersecurity lab, is raising the alarm over renewed phishing tactics by the BlueNoroff group. The hackers are sponsored by North Korea which is financially motivated to profit from its cyber-attacks against financial firms, including crypto entities.
BlueNoroff has created over 70 fake domains that imitate venture capital firms and banks. Most of the imposters presented themselves as well-known Japanese companies. Still, some claimed to be from the United States and Vietnam.
The BlueNoroff group often injects malware through word documents and shortcut files. Their latest malware can evade the Mark-of-the-Web (MOTW) flag.
The Kaspersky report revealed the BlueNoroff group is experimenting with new kinds of files and other malware distribution methods.
Once installed, its malware bypasses Windows’ MOTW security warnings about downloading content. After that, the virus intercepts large cryptocurrency transfers, changing the recipient’s wallet address and increasing the transfer amount to the maximum limit, draining the account in a single transaction.
Seongsu Park, a Kaspersky researcher, noted the spike in cyber attacks going into 2023. Park stressed the need for businesses to be more secure than ever as new malicious campaigns emerge.
North Korean hackers’ pressure on security
The North Korean threat actor first hit a Bangladeshi central bank in 2016 and has been on the radar of the United States cyber security services of countries.
The United States Federal Bureau of Investigation (FBI), in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), advised all American-based cryptocurrency companies to beef up their security architecture against potential attackers from North Korean hackers.
A Group-IB ber security report recently revealed that since 2017 over $882 million has been stolen from crypto exchanges by the state-sponsored Lazarus group.
The group is allegedly responsible for the $600 million Ronin Bridge exploit in March and was recently spotted to be using over 500 domains to attempt the theft of non-fungible tokens (NFT).
Unfortunately, crypto exchanges are not the only casualties of these Korean hackers. The Group-IB report also revealed that over 10% of funds from initial offering (ICOs) campaigns had been stolen since 2017.
Part of a larger operation?
Room 39, is a secretive organization within the North Korean government that is responsible for generating foreign currency from illegal sources for the country. There is evidence that it is involved in a number of illegal activities, including counterfeiting and drug trafficking, as well as other illicit ventures such as arms sales and hacking.
North Korean defectors say that it is operated from a building in the capital city of Pyongyang, and is said to be headed by members of the Kim family, who have held power in North Korea for three generations.
The exact nature and scope of Room 39’s activities are shrouded in mystery, as it operates in secret due to the illegal nature of the operations. It is likely a key source of funding for the North Korean dictatorship, and is thought to be responsible for generating hundreds of millions of dollars in dark money every year.
The organization is believed to have extensive international connections, and may export slave labor to European nations to take advantage of the higher labor costs in the EU, compared to East Asia.
North Korea has long been under US-led sanctions, which puts pressure on its access to foreign exchange reserves. By dealing with illegal, cash-based businesses, the nation is able to access liquid funds, which may be why North Korean hackers are looking for more crypto at the moment.
Another hustle for North Korea
It is impossible to know if Room 39 is behind the ongoing hacks, but North Korea is known for shady dealings that raise liquid assets. Another long standing illicit business for North Korea is the manufacture and export of methamphetamine, which a defector from the nation claims was done under the direct orders of Kim Jong-il.
The meth is used extensively by the local population. By some estimates, as much as half of North Korea’s population uses the drug, which is also exported in large amounts. Neighboring countries like China are prime export markets, but other nations like the USA have intercepted North Korean meth shipments.
Much like the crypto hacks, illegal businesses like meth production likely enjoy North Korean state sponsorship, which makes it likely that they will continue unimpeded.