Credential Harvesting

A North Korean nation-state group notorious for crypto heists has been attributed to a new wave of malicious email attacks as part of a "sprawling" credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy.

The state-aligned threat actor is being tracked by Proofpoint under the name TA444, and by the larger cybersecurity community as APT38, BlueNoroff, Copernicium, and Stardust Chollima.

TA444 is "utilizing a wider variety of delivery methods and payloads alongside blockchain-related lures, fake job opportunities at prestigious firms, and salary adjustments to ensnare victims," the enterprise security firm said in a report shared with The Hacker News.

The advanced persistent threat is something of an aberration among state-sponsored groups in that its operations are financially motivated and geared towards generating illicit revenue for the Hermit Kingdom as opposed to espionage and data theft.


To that end, the attacks employ phishing emails, typically tailored to the victim's interests, that are laden with malware-laced attachments such as LNK files and ISO optical disk images to trigger the infection chain.

Among other tactics include the use of bogus and compromised LinkedIn accounts belonging to legitimate company executives to approach and engage with targets prior to delivering booby-trapped links.

More recent campaigns in early December 2022, however, have witnessed a "significant deviation," wherein the phishing messages prompted the recipients to click on a URL that redirected to a credential harvesting page.

The email blast, which abused email marketing tools like SendGrid to distribute the phishing links, targeted several verticals besides the financial sector, including education, government, and healthcare, in the U.S. and Canada.

The experimentation aside, TA444 has also been observed expanding the functionality of CageyChameleon (aka CabbageRAT) to further aid in victim-profiling, while also maintaining a wide arsenal of post-exploitation tools to facilitate theft.


It's not immediately clear what prompted TA444 to branch out its attack repertoire, although it's suspected that it could be a moonlighting effort undertaken to pivot beyond its traditional targets. Alternatively, Proofpoint suggests the possibility of a different threat actor hijacking TA444's infrastructure.

"In 2022, TA444 took its focus on cryptocurrencies to a new level and has taken to mimicking the cybercrime ecosystem by testing a variety of infection chains to help expand its revenue streams," the company said.

The findings come as the U.S. Federal Bureau of Investigation (FBI) accused the BlueNoroff actors of carrying out the theft of $100 million in cryptocurrency from Harmony Horizon Bridge in June 2022.

"With a startup mentality and a passion for cryptocurrency, TA444 spearheads North Korea's cash flow generation for the regime by bringing in launderable funds," Proofpoint's Greg Lesnewich said. "This threat actor rapidly ideates new attack methods while embracing social media as part of their [modus operandi]."

The group "remains engaged in its efforts to use cryptocurrency as a vehicle to provide usable funds to the regime," Lesnewich added.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.