A North Korean nation-state group notorious for its crypto heists has been credited with a new wave of malicious email attacks. The TA444 group (also known as APT38, BlueNoroff, Copernicium and Stardust Chollima) uses a wide range of malware delivery methods. In their arsenal: blockchain-related bait, fake job opportunities in prestigious firms, quick money, etc. TA444 attacks also often use phishing emails tailored to the interests of the victim. As usual, they contain seemingly harmless .lnk shortcut files or .iso optical disc images, but in fact they are malware in disguise. Other TA444 tactics include using compromised LinkedIn accounts belonging to legitimate company executives to contact and interact with targets to spread decoy links. In the group's later campaigns, in December of last year, the attack vector changed a lot. TA444 was involved in the distribution of phishing messages that prompted recipients to go to a URL that redirected them to a credential harvesting page ("Credential Harvesting" method). December's malicious mailings primarily affected government agencies in the United States and Canada. Apparently, in the future, TA444 plans to use the received data for a new wave of attacks. North Korea is increasingly becoming involved in certain cybercrimes related to cryptocurrency and attacks on government structures in different countries. Recall that in June last year, the FBI accused the North Korean groups Lazarus and BlueNoroff (aka TA444) of stealing $ 100 million in cryptocurrency from the Harmony Horizon Bridge. And in October, international investigators expressed their concern that the cryptocurrency stolen by hackers from the DPRK was being used to finance nuclear weapons.

Greg Lesnevich of Proofpoint stated, “With a startup mentality and passion for cryptocurrencies, TA444 is leading North Korea’s cash flow generation by raising money that can be laundered.” 

“These attackers are rapidly coming up with new attack methods using social media as part of their modus operandi,” Lesnevich added.