A North Korean nation-state group notorious for crypto heists has been attributed to a new wave of malicious email attacks as part of a “sprawling” credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy.
The state-aligned threat actor is being tracked by Proofpoint under the name TA444, and by the larger cybersecurity community as APT38, BlueNoroff, Copernicium, and Stardust Chollima.
TA444 is “utilizing a wider variety of delivery methods and payloads alongside blockchain-related lures, fake job opportunities at prestigious firms, and salary adjustments to ensnare victims,” the enterprise security firm said in a report shared with The Hacker News.
The advanced persistent threat is something of an aberration among state-sponsored groups in that its operations are financially motivated and geared towards generating illicit revenue for the Hermit Kingdom as opposed to espionage and data theft.
To that end, the attacks employ phishing emails, typically tailored to the victim’s interests, that are laden with malware-laced attachments such as LNK files and ISO optical disk images to trigger the infection chain.
images from Hacker News