US, UK warn of Iranian hackers exploiting Microsoft Exchange, Fortinet
Russian ransomware gangs start collaborating with Chinese hackers
Windows 11 issue with Intel audio drivers triggers blue screens
Threat actors offer millions for zero-days, developers talk of exploit-as-a-service
Microsoft: Iranian state hackers increasingly target IT sector
New Memento ransomware switches to WinRar after failing at encryption
Microsoft increases Windows 11 rollout pace to Windows 10 devices
Glitch service abused to host short-lived phishing sites
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
North Korea
A state-sponsored North Korean threat actor tracked as TA406 was recently observed deploying custom info-stealing malware in espionage campaigns.
The particular actor is attributed as one of several groups known as Kimsuky (aka Thallium). TA406has left traces of low-volume activity since 2018, primarily focusing on espionage, money-grabbing scams, and extortion.
However, in March and June 2021, TA406 launched two distinct malware distribution campaigns that targeted foreign policy experts, journalists, and members of NGOs (non-governmental organizations).
In a new report, researchers at Proofpoint tracked TA406, sampled their tools, and discovered the services they abuse and the phishing lures they employ.
TA406 is engaging in malware distribution, phishing, intelligence collection, and cryptocurrency theft, resulting in a wide range of criminal activities.
According to Proofpoint’s report, the actors work roughly from 9 a.m. to 5 p.m. (KST), seven days a week, with hacking their full-time occupation.
The targeting scope is quite broad, including North America, Russia, China, South Korea, Japan, Germany, France, the UK, South Africa, India, and more.
The phishing emails sent by TA406 commonly use lures about nuclear safety, politics, and Korean foreign policy, while targeting high-ranking elected officials.
“The recipients of that campaign included some of the highest ranking elected officials of several different governmental institutions, an employee at a consulting firm, government institutions related to defense, law enforcement, and economy and finance, and generic mailboxes for board and customer relations of a large financial institution,” explains Proofpoint’s report.
The mails are sent from compromised websites, and the sender usually impersonates real people instead of creating fake personas.
Examples include an editor at Global Asia, a professor at Yonsei University, and an adviser to President Moon Jae-in.
Of particular interest, when conducting phishing campaigns to harvest credentials, TA406 does not usually create elaborate landing pages to impersonate a well-known server. Instead, they use basic HTTP authentication, which displays a browser dialog requesting the user’s credentials.
The lures are typically PDF files that require the recipient to log in to the hosting platform using their personal or corporate credentials to view them.
Starting in January 2021, TA406 began dropping malware payloads via phishing emails leading to 7z archives. These archives contained an EXE file with a double extension to appear as an .HTML file.
If opened, the file would create a scheduled task named “Twitter Alarm,” which enables the actors to drop additional payloads every 15 minutes.
Upon execution, the EXE also opens a web browser to a PDF file of a legitimate NK News article hosted on the actor’s infrastructure, attempting to trick the victim into thinking they’re reading a post on a news site.
In June 2021, TA406 began deploying a custom malware named ‘FatBoy,’ which dropped as an HTML attachment on the victim’s disk.
Each of these attachments has a unique hash and features an invisible iframe to communicate with the attackers and tell them which recipient (IP address) opened the file.
FatBoy is a small first-stage malware whose purpose is to download a CAB file from the C2 every 20 minutes.
The CAB file contains a batch script (ball.bat), which executes a VBS script designed to perform reconnaissance and exfiltrate information via HTTP POST requests.
A notable TA406 malware fetched by the downloaded malware is ‘YoreKey,’ a custom Windows keylogger masquerading as MetaTrader 4 Manager, a legitimate electronic trading platform.
YoreKey ensures persistence by creating a registry key and storing its logs in plain text on the infected system.
The keylogger allows the threat actors to steal other login credentials entered by the user as they use their device.
Parallel to the above, TA406 is also engaging in crypto-stealing operations, and according to Proofpoint’s findings, has received at least 3.77 Bitcoin, worth approximately $222,000.
This is done through various methods, including posing as NGOs for donations, offering (probably fake) file decoding/deobfuscation services through a website named ‘Deioncube,’ and sextortion scams.
It is possible that the amount of stolen cryptocurrency is much larger as the threat actors are likely using additional wallets unknown to the Proofpoint researchers.
With the wide range of malicious activity conducted by the TA406 and Kimsuky hackers, we should continue to see them conducting further attacks on behalf of the North Korean government.
“Proofpoint anticipates this threat actor will continue to conduct corporate credential theft operations frequently, targeting entities of interest to the North Korean government,” says the Proofpoint researchers.
These attacks include further targeting of US defense contractors and nuclear research agencies to steal valuable intelligence that the North Korean government can use.
RedCurl corporate espionage hackers resume attacks with updated tools
These are the top-level domains threat actors like the most
Windows 10 App Installer abused in BazarLoader malware attacks
Lazarus hackers target researchers with trojanized IDA Pro
TrickBot teams up with Shatak phishers for Conti ransomware attacks
Not a member yet? Register Now
Windows 10 21H2 is released, here are the new features
WordPress sites are being hacked in fake ransomware attacks
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Google Calendar now lets you block invitation phishing attempts

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flawsNew ransomware now…

Microsoft Intune bug forces Samsung devices into non-compliant state

AMD fixes dozens of Windows 10 graphics driver security bugsVoid Balaur hackers-for-hire…

800K WordPress sites still impacted by critical SEO plugin flaw

Russian hackers made millions by stealing SEC earning reportsThreat actors steal $80…

Minecraft rushes out patch for critical Log4j vulnerability

New zero-day exploit for Log4j Java library is an enterprise nightmareALPHV BlackCat…