A new report from Proofpoint Inc. today details a revamped state-sponsored North Korean threat actor that has been actively targeting cryptocurrency holders and exchanges using new methodologies.
Dubbed TA444, the group has been active since at least 2017 and in 2022 turned its attention to cryptocurrency. It has overlaps with public activity from groups that include APT38, Bluenoroff, BlackAlicanto, Stardust Chollima and COPERNICIUM, and it’s believed to be tasked with funneling funds to North Korea or its handlers abroad.
North Korean hacking groups are not new, but what makes TA444 interesting is that the group uses a wider variety of delivery methods and payloads than previously seen. The group also uses blockchain-related lures, fake job opportunities at prestigious firms and salary adjustments to trap victims.
When first spotted taking an interest in blockchain and cryptocurrency, TA444 used two attack vectors for initial access: an LNK-oriented delivery chain and a chain beginning with documents using remote templates. The campaigns were typically referred to as DangerousPassword, CryptoCore or SnatchCrypto.
More recently, TA444 has continued to use both methods but has diversified into other methods for initial access. Despite not having used them in previous campaigns, TA444 started using macros in the fall, attempting to find additional file types to stuff its payloads into.
While jokingly suggesting that TA444 may have held a hackathon to develop new hacking ideas, the researchers also note that as equally surprising as the variance in delivery methods is a lack of consistent payload at the end of delivery chains.
Traditionally, when financially oriented threat actors test delivery methods, which is what TA444 appears to be doing, they usually deliver consistent payloads. However, this is not the case with TA444, which uses different payloads, suggesting that it has an embedded, or even a devoted development team designing new forms of malware.
“With a startup mentality and a passion for cryptocurrency, TA444 spearheads North Korea’s cashflow generation for the regime by bringing in launderable funds,” Greg Lesnewich, senior threat researcher at Proofpoint, told SiliconANGLE. “This threat actor rapidly ideates new attack methods while embracing social media as part of their MO.”
Lesnewich warns that TA444 has taken “its focus on cryptocurrencies to a new level and has taken to mimicking the cybercrime ecosystem by testing a variety of infection chains to help expand its revenue streams.”