Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label North Korean Hackers. Show all posts
OtterCookie
Infostealer Malicious Campaign malware North Korean Hackers OtterCookie

North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign

 

The North Korean hackers behind the ongoing Contagious Interview campaign have been observed launching a new JavaScript malware named OtterCookie. 

The campaign includes social engineering techniques, with the hacker team frequently posing as recruiters to trick job seekers into downloading malware during an interview process. This entails sharing malware-laced files via GitHub or the official package registry, paving the way for the propagation of malware like BeaverTail and InvisibleFerret. 

Palo Alto Networks Unit 42, which first detected the activity in November 2023, is tracking the cluster as CL-STA-0240. In September 2024, Singaporean cybersecurity company Group-IB disclosed the deployment of an upgraded version of BeaverTail that employs a modular approach, delegating its information-stealing capability to a collection of Python scripts known as CivetQ. 

According to the latest findings from Japanese cybersecurity company NTT Security Holdings, the JavaScript malware that launches BeaverTail is also designed to fetch and execute OtterCookie. 

The new malware is said to have been launched in September 2024, with a new variant identified in the wild last month. OtterCookie, upon running, establishes connections with a command-and-control (C2) server using the Socket.IO JavaScript library, and awaits further instructions. It is intended to execute shell commands that facilitate data theft, including files, clipboard items, and cryptocurrency wallet keys. 

The older OtterCookie variant discovered in September is functionally identical, but with a slight implementation difference: the cryptocurrency wallet key theft capability is directly incorporated into the malware, rather than a remote shell command. The discovery indicates that attackers are actively updating their tools while leaving the infection chain mostly intact, highlighting the campaign's efficacy. 

This comes as South Korea's Ministry of Foreign Affairs (MoFA) sanctioned 15 individuals and one organisation in connection with a fraudulent IT worker program engineered by North Korea to establish a regular source of funds. These funds are funnelled to North Korea, often through data theft and other illegal means. 

Kim Ryu Song, one of the 15 sanctioned individuals, was also charged by the U.S. Department of Justice (DoJ) earlier this month for allegedly participating in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organisations.
Read more »
UNC2970
Cyber Attacks Cyber-Espionage North Korean Hackers Threat Landscape UNC2970

North Korean Hackers Target Energy and Aerospace Industries in Novel Espionage Campaign

 

As per recent findings from Mandiant, companies operating in the energy and aerospace sectors are being targeted by a cyber-espionage campaign that has connections with North Korea.

The outfit behind the campaign, dubbed UNC2970, is most likely linked to North Korea and shares similarities with another Pyongyang-backed threat actor, TEMP.Hermit. Researchers at the Google-owned cybersecurity firm discovered UNC2970's latest campaign in June 2024 and published their findings on Tuesday. 

The group was initially identified in 2021, and it has since targeted victims in the United States, United Kingdom, the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia. 

According to the research, UNC2970 hackers engage with their victims via email and WhatsApp, posing as recruiters for well-known companies. They eventually share a malware archive that claims to have a job description in PDF format.

The PDF file can only be read with a trojanized version of SumatraPDF, an actual open-source document viewer that installs a backdoor called Mistpen via the Burnbook launcher. Researchers revealed that the attackers updated the open-source code of an older version of SumatraPDF for this campaign, but that the SumatraPDF service itself was not compromised. UNC2970 uses real job description text to target victims, including those employed in critical infrastructure sectors in the United States. 

The Mistpen virus is a fork of a legitimate plugin for the Notepad++ open-source text and source code editor. The backdoor has been upgraded over time with new features, including a network connectivity check, which complicates sample analysis, researchers noted. Although Mandiant does not name the specific victims of this attack, researchers believe the hackers are targeting senior or manager-level employees. 

"This suggests the threat actor aims to gain access to sensitive and confidential information typically restricted to higher-level employees,” researchers stated. "The hackers also tailor their malicious messages to better align with the victim's profile."
Read more »
North Korean Hackers
American Firms Data Breach Data Theft EDR IT Sector North Korean Hackers

KnowBe4 Avoids Data Breach After Hiring North Korean Hacker


 

American cybersecurity firm KnowBe4 recently discovered that a new hire, brought on as a Principal Software Engineer, was actually a North Korean state actor. This individual attempted to install data-stealing malware on the company's devices, but the threat was identified and neutralised before any data breach occurred.

This incident is the testament to the persistent threat from North Korean operatives posing as IT professionals, a danger that the FBI has been warning about since 2023. North Korea has a well-organised network of IT workers who disguise their true identities to secure employment with American companies. The revenue generated by these infiltrators funds the country's weapons programs, cyber operations, and intelligence gathering.

How the Hacker Bypassed Checks

Before hiring the malicious actor, KnowBe4 conducted extensive background checks, verified references, and held four video interviews. Despite these precautions, the individual used a stolen U.S. identity and AI tools to create a fake profile picture that matched during the video calls. This deception enabled the hacker to bypass the initial vetting process.

On July 15, 2024, KnowBe4's Endpoint Detection and Response (EDR) system flagged an attempt to load malware from the Mac workstation recently issued to the new hire. The malware, designed to steal information stored in web browsers, was intended to capture any leftover credentials or data from the computer's previous user.

When confronted by KnowBe4's IT staff, the state actor initially offered excuses but soon ceased all communication.

Deceptive Hiring Practices

KnowBe4 CEO Stu Sjouwerman explained that the scheme involved tricking the company into sending the workstation to an "IT mule laptop farm" near the address provided by the fraudster. The hacker then used a VPN to connect to the device during U.S. working hours, making it seem like they were working as usual.

To prevent similar incidents, KnowBe4 advises companies to use isolated sandboxes for new hires, keeping them away from critical network areas. Additionally, firms should ensure that new employees' external devices are not used remotely and treat any inconsistencies in shipping addresses as potential red flags.

This incident at KnowBe4 zeroes in on the intricate  methods employed by North Korean hackers to infiltrate American companies. By staying vigilant and implementing robust security measures, firms can protect themselves from such threats.


Read more »
Tornado Cash
Axie Infinity cryptocurrency theft Cyber Crime decentralized mixers Horizon Bridge law enforcement actions Lazarus Group North Korean Hackers Sinbad.io Tornado Cash

Lazarus Group Hackers Resurface Utilizing Tornado Cash for Money Laundering

 

The Lazarus hacking group from North Korea is reported to have reverted to an old tactic to launder $23 million obtained during an attack in November. According to investigators at Elliptic, a blockchain research company, the funds, which were part of the $112.5 million stolen from the HTX cryptocurrency exchange, have been laundered through the Tornado Cash mixing service.

Elliptic highlighted the significance of this move, noting that Lazarus had previously switched to Sinbad.io after U.S. authorities sanctioned Tornado Cash in August 2022. However, Sinbad.io was later sanctioned in November. Elliptic observed that Lazarus Group appears to have resumed using Tornado Cash to obscure the trail of their transactions, with over $23 million laundered through approximately 60 transactions.

The researchers explained that this shift in behavior likely stems from the limited availability of large-scale mixers following law enforcement actions against services like Sinbad.io and Blender.io. Despite being sanctioned, Tornado Cash continues to operate due to its decentralized nature, making it immune to seizure and shutdown like centralized mixers.

Elliptic has been monitoring the movement of the stolen $112.5 million since HTX attributed the incident to Lazarus. The funds remained dormant until March 13 when they were observed passing through Tornado Cash, corroborated by other blockchain security firms.

North Korean hackers utilize services such as Tornado Cash and Sinbad.io to conceal the origins of their ill-gotten gains and convert them into usable currency, aiding the regime in circumventing international sanctions related to its weapons programs, as per U.S. government claims.

According to the U.S. Treasury Department, North Korean hackers have utilized Sinbad and its precursor Blender.io to launder a portion of the $100 million stolen from Atomic Wallet customers in June, as well as substantial amounts from high-profile crypto thefts like those from Axie Infinity and Horizon Bridge.

Researchers estimate that North Korean groups pilfered around $1.7 billion worth of cryptocurrency in 2022 and approximately $1 billion in 2023. The Lazarus Group, operational for over a decade, has reportedly stolen over $2 billion worth of cryptocurrency to finance North Korea's governmental activities, including its weapons programs, as stated by U.S. officials. The group itself faced U.S. sanctions in 2019.
Read more »
North Korean Hackers
Coin Mixer Crypto Crime Cyber Crime cyber theft North Korean Hackers

North Korean Hacking Outfit Lazarus Siphons $1.2M of Bitcoin From Coin Mixer

 

Lazarus Group, a notorious hacker group from North Korea, reportedly moved almost $1.2 million worth of Bitcoin (BTC) from a coin mixer to a holding wallet. This move, which is the largest transaction they have made in the last month, has blockchain analysts and cybersecurity experts talking. 

Details of recent transactions

Two transactions totaling 27.371 BTC were made to the Lazarus Group's wallet, according to blockchain analysis firm Arkham. 3.34 BTC were subsequently moved to a separate wallet that the group had previously used. The identity of the coin mixer involved in these transactions remains unknown. Coin mixers are used to conceal the trail of cryptocurrency transactions, making it difficult to track down the ownership and flow of funds.

The Lazarus Group's latest effort adds to its long history of sophisticated cyber crimes, notably involving cryptocurrency. The US Treasury Department has linked them to a $600 million bitcoin theft from the Ronin bridge, which is linked to Axie Infinity, a famous online game. 

Growing cryptocurrency reservoir

According to Arkham, the Lazarus Group's combined wallet holdings are currently worth approximately $79 million. This includes around $73 million in Bitcoin and $3.4 million in Ether. This huge wealth accumulation through illicit techniques exemplifies the group's persistent and expanding cryptocurrency operations.

Furthermore, a recent TRM Labs study discovered that North Korean-affiliated hackers, notably the Lazarus Group, were responsible for one-third of all cryptocurrency attacks and thefts in 2023. These operations apparently earned them roughly $600 million. 

Cyber attack patterns  

Multiple cybersecurity firms have carried out investigations into the Lazarus Group's operational tactics. Taylor Monahan, a Metamask developer, stated that the latest Orbit assault, which resulted in a loss of $81 million, was similar to prior Lazarus Group operations. Such patterns provide significant insights into their strategies and can assist in the development of more effective defensive measures for future attacks.

Over the last three years, the cybersecurity firm Recorded Future has attributed more than $3 billion in cryptocurrency breaches and vulnerabilities to the Lazarus Group. Their consistent and effective execution of high-profile cyber thefts highlights the advanced nature of their skills, as well as the challenges encountered in combatting such attacks.
Read more »
South Korea
Andariel Data Breach Hacker group Military Data North Korea North Korean Hackers Ransomware group South Korea

Seoul Police Reveals: North Korean Hackers Stole South Korean Anti-Aircraft Data


South Korea: Seoul police have charged Andariel, a North Korea-based hacker group for stealing critical defense secrets from South Korea’s defense companies. Allegedly, the laundering ransomware is redirected to North Korea. One of the 1.2 terabytes of data the hackers took was information on sophisticated anti-aircraft weaponry.  

According to the Seoul Metropolitan Police Agency, the hacker group utilized servers that they had rented from a domestic server rental company to hack into dozens of South Korean organizations, including defense companies. Also, the ransomware campaign acquired ransoms from a number of private sector victim firms. 

Earlier this year, the law enforcement agency and the FBI jointly conducted an investigation to determine the scope of Andariel's hacking operations. This was prompted by reports from certain South Korean corporations regarding security problems that were believed to be the result of "a decline in corporate trust." 

Andariel Hacker Group 

In an investigation regarding the origin of Andariel, it was found that it is a subgroup of the Lazarus Group. The group has stolen up to 1.2 terabytes of data from South Korean enterprises and demanded 470 million won ($357,000) in Bitcoin as ransom from three domestic and international organizations.  

According to a study conducted by Mandiant, it was revealed that Andariel is operated by the North Korean intelligence organization Reconnaissance General Bureau, which gathers intelligence for the regime's advantage by mainly targeting international enterprises, governmental organizations, defense companies, and financial services infrastructure. 

Apparently, the ransomware group is also involved in cybercrime activities to raise funds for conducting its operation, using specially designed tools like the Maui ransomware and DTrack malware to target global businesses. In February, South Korea imposed sanctions on Andariel and other hacking groups operating in North Korea for engaging in illicit cyber operations to fund the dictatorial regime's nuclear and missile development projects.  

The threat actor has used a number of domestic and foreign crypto exchanges, like Bithumb and Binance, to launder the acquired ransom. Till now, a sum of 630,000 yuan ($89,000) has been transferred to China's K Bank in Liaoning Province. The hackers proceeded to redirect the laundered money from the K Bank branch to a location close to the North Korea-China border. 

Seoul police noted that they have seized the domestic servers and virtual asset exchange used by Andariel to conduct their campaigns. Also, the owner of the account, that was used in transferring the ransom, has been detained. 

"The Security Investigation Support Department of the Seoul Metropolitan Police Agency is actively conducting joint investigations with related agencies such as the U.S. FBI regarding the overseas attacks, victims and people involved in this incident, while continuing to investigate additional cases of damage and the possibility of similar hacking attempts," the agency said.

The police have warned businesses of the threat actor and have advised them to boost their cybersecurity and update security software to the latest versions. It has also been advised to organizations to encrypt any critical data, in order to mitigate any future attack. 

Moreover, police are planning to investigate server rental companies to verify their subscribers’ identities and to ensure that the servers have not been used in any cybercrime activity.  

Read more »
USA officials
Crypto Crypto Currency Crypto Market Cryptominers cryptomixer Data Breach Lazarus Group North Korean Hackers State Sponsored Hackers USA officials

U.S. Seizes Sinbad Crypto Mixer Tied to North Korean Hackers

Federal authorities in the United States have effectively confiscated the Sinbad crypto mixer, a tool purportedly used by North Korean hackers from the Lazarus organization, in a key action against cybercriminal activities. The operation, which focused on the Lazarus group's illegal financial operations, is an important development in the continuous international effort to tackle cyber threats.

The Lazarus organization, a state-sponsored hacker outfit renowned for coordinating high-profile cyberattacks, is connected to North Korea, which is how the Sinbad cryptocurrency mixer got its reputation. A crucial component of this operation was reportedly played by the U.S. Department of Treasury.

The WannaCry ransomware assault in 2017 and the notorious Sony Pictures hack from 2014 are only two of the cybercrimes the Lazarus organization has been connected to. These occurrences highlight the group's advanced capabilities and possible threat to international cybersecurity.

The Sinbad crypto mixer, seized by U.S. authorities, was allegedly used by the Lazarus group to obfuscate and launder cryptocurrency transactions. Cryptocurrency mixers are tools designed to enhance privacy and security by mixing transactions with those of other users, making it challenging to trace the source and destination of funds. However, when used for illicit purposes, such mixers become a focal point for law enforcement.

The U.S. Department of the Treasury issued a press release on the matter, emphasizing the government's commitment to countering cyber threats and safeguarding the financial system's integrity. The move is part of a broader strategy to disrupt the financial networks that support malicious cyber activities.

The US Treasury Secretary stated, "The seizure of the Sinbad crypto mixer is a clear signal that the United States will not tolerate those who use technology to engage in malicious cyber activities. We are committed to holding accountable those who threaten the security and stability of our financial systems."

This operation highlights the collaboration between law enforcement agencies and the private sector in tackling cyber threats. It serves as a reminder of the importance of international cooperation to address the evolving challenges posed by state-sponsored hacking groups.

The seizure of the Sinbad cryptocurrency mixer is evidence of the determination of authorities to safeguard people, companies, and countries from the dangers of cybercrime, particularly at a time when the world community is still struggling to contain the sophistication of cyber threats.
Read more »
Unibot
Apple MacOS Cryptocurrency exchange KandyKorn KandyKorn malware lazarus Lazarus Group malware North Korean Hackers Unibot

KandyKorn: Apple MacOS Malware Targets Blockchain Engineers of Crypto Exchange Platform


A new malware linked to the North Korean threat group Lazarus was discovered on Apple’s macOS, and it appears that it was intended for the blockchain engineers of a crypto exchange platform. 

KandyKorn Malware 

According to a study conducted by Elastic Security Labs, the malware, dubbed as ‘KandyKorn’ is a sophisticated backdoor that could be used to steal data, directory listing, file upload/download, secure deletion, process termination, and command execution.

At first, the attackers used Discord channels to propagate Python-based modules by pretending to be active members of the community.

Apparently, the social engineering attacks pose as an arbitrage bot intended to generate automatic profits by coercing its members into downloading a malicious ZIP archive called “Cross=platform Bridges.zip.” However, there are 13 malicious modules that are being imported by the file to work together in order to steal and alter the stolen information. 

The report reads, “We observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS, known as execution flow hijacking.”

Users of Unibot were notified by blockchain analytics company Scopescan about an ongoing hack, which was subsequently verified by an official source:

“We experienced a token approval exploit from our new router and have paused our router to contain the issue.” Later, Unibot guaranteed that it would compensate all the victims who lost their funds in the exploit. 

Lazarus Group/ Lazarus is a North Korean state-sponsored cyber threat group, linked to the Reconnaissance General Bureau that operates out of North Korea. As part of a campaign called Operation Blockbuster by Novetta, the group, which has been operating since at least 2009, is said to have been behind the devastating wiper attack against Sony Pictures Entertainment in November 2014. The malware that Lazarus Group uses is consistent with other known campaigns, such as DarkSeoul, Operation Flame, Operation 1Mission, Operation Troy, and Ten Days of Rain.

However, in certain definitions of the North Korean group, security researchers apparently report all North Korean state-sponsored cyber activities under the term Lazarus Group instead of tracking clusters or subgroups like Andariel, APT37, APT38, and Kimsuky.

The crypto industry remains a main target for Lazarus, with a primary motivation of profit rather than espionage, which is their second primary operational focus.

The fact that KandyKorn exists proves that macOS is well within Lazarus's target range and highlights the threat group's amazing ability to create subtle and sophisticated malware specifically designed for Apple devices.  

Read more »
Subscribe to: Posts (Atom)