North Korean Hacker | Breaking Cybersecurity News | The Hacker News

The North Korea-linked nation-state group called BlueNoroff has been attributed to a previously undocumented macOS malware strain dubbed  ObjCShellz . Jamf Threat Labs, which disclosed details of the malware, said it's used as part of the RustBucket malware campaign, which came to light earlier this year. "Based on previous attacks performed by BlueNoroff, we suspect that this malware was a late stage within a multi-stage malware delivered via social engineering," security researcher Ferdous Saljooki said in a report shared with The Hacker News. BlueNoroff, also tracked under the names APT38, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444, is a subordinate element of the infamous  Lazarus Group  that specializes in financial crime, targeting banks and the crypto sector as a way to  evade sanctions  and  generate illicit profits  for the regime. The development arrives days after Elastic Security Labs disclosed the Lazarus Group's...

The U.S. government has  announced  the seizure of 17 website domains used by North Korean information technology (IT) workers as part of an illicit scheme to defraud businesses across the world, evade sanctions, and fund the country's ballistic missile program. The Department of Justice (DoJ) said the U.S. confiscated approximately $1.5 million of the revenue that these IT workers collected from unwitting victims using the deceptive scheme in October 2022 and January 2023. It also called out North Korea for flooding the "global marketplace with ill-intentioned information technology workers." Court documents allege that the dispatched workers primarily live in China and Russia with an aim to deceive companies in the U.S. and elsewhere into hiring them under fake identities, and ultimately generating "millions of dollars a year" in illicit revenues. The development comes amid  continued   warnings  from the U.S. about North Korea's reliance on its army ...

The North Korea-linked  Lazarus Group  has been linked to a cyber espionage attack targeting an unnamed aerospace company in Spain in which employees of the firm were approached by the threat actor posing as a recruiter for Meta. "Employees of the targeted company were contacted by a fake recruiter via LinkedIn and tricked into opening a malicious executable file presenting itself as a coding challenge or quiz," ESET security researcher Peter Kálnai  said  in a technical report shared with The Hacker News. The attack is part of a long-standing spear-phishing campaign called  Operation Dream Job  that's orchestrated by the hacking crew in an attempt to lure employees working at prospective targets that are of strategic interest, enticing them with lucrative job opportunities to activate the infection chain. Earlier this March, the Slovak cybersecurity company detailed an attack wave aimed at Linux users that involved the use of bogus HSBC job offers to ...

The North Korea-affiliated Lazarus Group has stolen nearly $240 million in cryptocurrency since June 2023, marking a significant escalation of its hacks. According to multiple reports from  Certik ,  Elliptic , and  ZachXBT , the infamous hacking group is said to be suspected behind the theft of $31 million in digital assets from the  CoinEx exchange  on September 12, 2023. The crypto heist aimed at CoinEx  adds  to a  string of recent attacks  targeting Atomic Wallet ($100 million), CoinsPaid ($37.3 million), Alphapo ($60 million), and Stake.com ($41 million). "Some of the funds stolen from CoinEx were sent to an address which was used by the Lazarus group to launder funds stolen from Stake.com, albeit on a different blockchain," Elliptic said. "Following this, the funds were bridged to Ethereum, using a bridge previously used by Lazarus, and then sent back to an address known to be controlled by the CoinEx hacker." The blockchain anal...

A new phishing attack likely targeting civil society groups in South Korea has led to the discovery of a novel remote access trojan called  SuperBear . The intrusion singled out an unnamed activist, who was contacted in late August 2023 and received a malicious LNK file from an address impersonating a member of the organization, non-profit entity Interlabs  said  in a new report. The LNK file, upon execution, launches a PowerShell command to execute a Visual Basic script that, in turn, fetches the next-stage payloads from a legitimate but compromised WordPress website. This includes the Autoit3.exe binary ("solmir.pdb") and an AutoIt script ("solmir_1.pdb") that's launched using the former. The AutoIt script, for its part, performs process injection using a  process hollowing technique , in which malicious code is inserted into a process that's in a suspended state. In this case, an instance of Explorer.exe is spawned to inject a never-before-seen RAT referred...

Three additional rogue Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called  VMConnect , with signs pointing to the involvement of North Korean state-sponsored threat actors. The  findings  come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro. First disclosed at the start of the month by the company and Sonatype,  VMConnect  refers to a collection of Python packages that mimic popular open-source Python tools to download an unknown second-stage malware. The latest tranche is no different, with ReversingLabs noting that the bad actors are disguising their packages and making them appear trustworthy by using typosquatting techniques to impersonate prettytable and requests and confuse developers. The nefarious code within tablediter is designed to run in an endless execution loop in which a remote server is polled periodically ...

The North Korea-linked threat actor known as Lazarus Group has been observed exploiting a now-patched critical security flaw impacting Zoho ManageEngine ServiceDesk Plus to distribute a remote access trojan called such as  QuiteRAT . Targets include internet backbone infrastructure and healthcare entities in Europe and the U.S., cybersecurity company Cisco Talos said in a  two-part   analysis  published today. What's more, a closer examination of the adversary's recycled attack infrastructure used in its cyber assaults on enterprises has led to the discovery of a new threat dubbed  CollectionRAT . The fact that the Lazarus Group continues to rely on the same tradecraft despite those components being well-documented over the years underscores the threat actor's confidence in their operations, Talos pointed out. QuiteRAT is said to be a successor to  MagicRAT , itself a follow-up to TigerRAT, while CollectionRAT appears to share overlaps with  Early...

The npm package registry has emerged as the target of yet another highly targeted attack campaign that aims to entice developers into downloading malevolent modules. Software supply chain security firm Phylum told The Hacker News the activity exhibits similar behaviors to that of a previous attack wave  uncovered in June , which has since been  linked to North Korean threat actors . As many as nine packages have been identified as uploaded to npm between August 9 and 12, 2023. This includes: ws-paso-jssdk, pingan-vue-floating, srm-front-util, cloud-room-video, progress-player, ynf-core-loader, ynf-core-renderer, ynf-dx-scripts, and ynf-dx-webpack-plugins. "Due to the sophisticated nature of the attack and the small number of affected packages, we suspect this is another highly targeted attack, likely with a social engineering aspect involved in order to get targets to install these packages," the company  said . The attack chain commences with the package.json file ...

Two different North Korean nation-state actors have been linked to a cyber intrusion against NPO Mashinostroyeniya, a major Russian missile engineering company. Cybersecurity firm SentinelOne  said  it identified "two instances of North Korea related compromise of sensitive internal IT infrastructure," including a case of an email server compromise and the deployment of a Windows backdoor dubbed OpenCarrot. The breach of the Linux email server has been attributed to  ScarCruft . OpenCarrot, on the other hand, is a known implant  previously identified  as used by the Lazarus Group. The attacks were flagged in mid-May 2022. A rocket design bureau based in Reutov, NPO Mashinostroyeniya was  sanctioned  by the U.S. Treasury Department in July 2014 in  connection  to "Russia's continued attempts to destabilize eastern Ukraine and its ongoing occupation of Crimea." While both ScarCruft (aka APT37) and the Lazarus Group are affiliated to North...

The North Korean advanced persistent threat (APT) group known as Kimsuky has been observed using a piece of custom malware called RandomQuery as part of a reconnaissance and information exfiltration operation. "Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report published today. The ongoing targeted campaign, per the cybersecurity firm, is primarily geared towards information services as well as organizations supporting human rights activists and North Korean defectors. Kimsuky, active since 2012, has exhibited targeting patterns that align with North Korea's operational mandates and priorities. The intelligence collection missions have involved the use of a diverse set of malware, including another reconnaissance program called ReconShark , as detailed by SentinelOne earlier this month. The latest activity ...

The North Korean threat actor known as  ScarCruft  started experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft  began blocking macros  across Office documents by default. "RokRAT has not changed significantly over the years, but its deployment methods have evolved, now utilizing archives containing LNK files that initiate multi-stage infection chains," Check Point  said  in a new technical report. "This is another representation of a major trend in the threat landscape, where APTs and cybercriminals alike attempt to overcome the blocking of macros from untrusted sources." ScarCruft , also known by the names APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a threat group that almost exclusively targets South Korean individuals and entities as part of spear-phishing attacks designed to deliver an array of custom tools. The adversarial collective, unlik...

Lazarus, the prolific North Korean hacking group behind the cascading  supply chain attack targeting 3CX , also breached two critical infrastructure organizations in the power and energy sector and two other businesses involved in financial trading using the trojanized X_TRADER application. The new findings, which come courtesy of  Symantec's Threat Hunter Team , confirm earlier suspicions that the X_TRADER application compromise affected more organizations than 3CX. The names of the organizations were not revealed. Eric Chien, director of security response at Broadcom-owned Symantec, told The Hacker News in a statement that the attacks took place between September 2022 and November 2022. "The impact from these infections is unknown at this time – more investigation is required and is on-going," Chien said, adding it's possible that there's "likely more to this story and possibly even other packages that are trojanized." The development comes as Ma...

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors. Google-owned Mandiant, which is  tracking  the attack event under the moniker  UNC4736 ,  said  the incident marks the first time it has seen a "software supply chain attack lead to another software supply chain attack." The Matryoshka doll-style cascading attack against 3CX first came to light on March 29, 2023, when it  emerged  that Windows and macOS versions of its communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer by means of a downloader, SUDDENICON, that used icon files hosted on GitHub to extract the server containing the stealer. "The malicious application next attempts to steal sensitive information from the victim user's web browser," the U.S. Cybersecurity and Infrastructure Security Agency (CI...

German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as  Kimsuky  using rogue browser extensions to steal users' Gmail inboxes. The  joint advisory   comes  from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service (NIS). The intrusions are designed to strike "experts on the Korean Peninsula and North Korea issues" through spear-phishing campaigns, the agencies noted. Kimsuky , also known Black Banshee, Thallium, and Velvet Chollima, refers to a  subordinate element  within North Korea's Reconnaissance General Bureau and is known to "collect strategic intelligence on geopolitical events and negotiations affecting the DPRK's interests." Primary targets of interest include entities in the U.S. and South Korea, particularly singling out individuals working within the government, military...

Norwegian police agency Økokrim has announced the seizure of 60 million NOK (about $5.84 million) worth of cryptocurrency stolen by the Lazarus Group in March 2022 following the Axie Infinity Ronin Bridge hack. "This case shows that we also have a great capacity to follow the money on the blockchain, even if the criminals use advanced methods," the Oslo-based crime-fighting unit  said  in a statement. The development comes more than 10 months after the U.S. Treasury Department  implicated  the North Korea-backed hacking group for the theft of $620 million from the Ronin cross-chain bridge. Then in September 2022, the U.S. government  announced  the recovery of more than $30 million worth of cryptocurrency, representing 10% of the stolen funds. Økokrim said it worked with international law enforcement partners to pursue and piece together the money trail, thereby making it more difficult for criminal actors to carry out money laundering activities. "Th...

Suspected North Korean nation-state actors targeted a journalist in South Korea with a malware-laced Android app as part of a social engineering campaign. The findings come from South Korea-based non-profit Interlab, which coined the new malware  RambleOn . The malicious functionalities include the "ability to read and leak target's contact list, SMS, voice call content, location and others from the time of compromise on the target," Interlab threat researcher Ovi Liber  said  in a report published this week. The spyware camouflages as a secure chat app called Fizzle ( ch.seme ), but in reality, acts as a conduit to deliver a next-stage payload hosted on pCloud and Yandex. The chat app is said to have been sent as an Android Package (APK) file over WeChat to the targeted journalist on December 7, 2022, under the pretext of wanting to discuss a sensitive topic. The primary purpose of RambleOn is to function as a loader for another APK file ( com.data.WeCoin ) while ...