Risk actors linked to North Korea have accounted for one-third of all of the phishing exercise focusing on Brazil since 2020, because the nation’s emergence as an influential energy has drawn the eye of cyber espionage teams.
“North Korean government-backed actors have targeted the Brazilian government and Brazil’s aerospace, technology, and financial services sectors,” Google’s Mandiant and Risk Evaluation Group (TAG) divisions stated in a joint report printed this week.
“Similar to their targeting interests in other regions, cryptocurrency and financial technology firms have been a particular focus, and at least three North Korean groups have targeted Brazilian cryptocurrency and fintech companies.”
Outstanding amongst these teams is a menace actor tracked as UNC4899 (aka Jade Sleet, PUKCHONG, and TraderTraitor), which has focused cryptocurrency professionals with a malware-laced trojanized Python app.
The assault chains contain reaching out to potential targets by way of social media and sending a benign PDF doc containing a job description for an alleged job alternative at a well known cryptocurrency agency.
Ought to the goal specific curiosity within the job supply, the menace actor follows it up by sending a second innocent PDF doc with a expertise questionnaire and directions to finish a coding task by downloading a challenge from GitHub.
“The project was a trojanized Python app for retrieving cryptocurrency prices that was modified to reach out to an attacker-controlled domain to retrieve a second stage payload if specific conditions were met,” Mandiant and TAG researchers stated.
This isn’t the primary time UNC4899, which has been attributed to the 2023 JumpCloud hack, has leveraged this method. In July 2023, GitHub warned of a social engineering assault that sought to trick staff working at blockchain, cryptocurrency, on-line playing, and cybersecurity corporations into executing code hosted in a GitHub repository utilizing bogus npm packages.
Job-themed social engineering campaigns are a recurring theme amongst North Korean hacking teams, with the tech big additionally recognizing a marketing campaign orchestrated by a gaggle it tracks as PAEKTUSAN to ship a C++ downloader malware known as AGAMEMNON by way of Microsoft Phrase attachments embedded in phishing emails.
“In one example, PAEKTUSAN created an account impersonating an HR director at a Brazilian aerospace firm and used it to send phishing emails to employees at a second Brazilian aerospace firm,” the researchers famous, including the campaigns are in step with a long-running exercise tracked as Operation Dream Job.
“In a separate campaign, PAEKTUSAN masqueraded as a recruiter at a major US aerospace company and reached out to professionals in Brazil and other regions via email and social media about prospective job opportunities.”
Google additional stated it blocked makes an attempt by one other North Korean group dubbed PRONTO to focus on diplomats with denuclearization- and news-related decoys to trick them into visiting credential harvesting pages or offering their login data in an effort to view a supposed PDF doc.
The event comes weeks after Microsoft make clear a beforehand undocumented menace actor of North Korean origin, codenamed Moonstone Sleet, which has singled out people and organizations within the software program and knowledge expertise, training, and protection industrial base sectors with each ransomware and espionage assaults.
Amongst Moonstone Sleet’s noteworthy techniques is the distribution of malware via counterfeit npm packages printed on the npm registry, mirroring that of UNC4899. The stated, the packages related to the 2 clusters bear distinct code kinds and buildings.
“Jade Sleet’s packages, discovered throughout summer 2023, were designed to work in pairs, with each pair being published by a separate npm user account to distribute their malicious functionality,” Checkmarx researchers Tzachi Zornstein and Yehuda Gelb stated.
“In contrast, the packages published throughout late 2023 and early 2024 adopted a more streamlined single-package approach which would execute its payload immediately upon installation. In the second quarter of 2024, the packages increased in complexity, with the attackers adding obfuscation and having it target Linux systems as well.”
Whatever the variations, the tactic abuses the belief customers place in open-source repositories, permitting the menace actors to succeed in a broader viewers and growing the chance that one among their malicious packages may very well be inadvertently put in by unwitting builders.
The disclosure is important, not least as a result of it marks an growth of Moonstone Sleet’s malware distribution mechanism, which beforehand relied on spreading the bogus npm packages utilizing LinkedIn and freelancer web sites.
The findings additionally comply with the invention of a brand new social engineering marketing campaign undertaken by the North Korea-linked Kimsuky group whereby it impersonated the Reuters information company to focus on North Korean human rights activists to ship information-stealing malware underneath the guise of an interview request, in keeping with Genians.
