Security News

A cyberespionage group with ties to North Korea has resurfaced with a stealthier variant of its remote access trojan called Konni to attack political institutions located in Russia and South Korea. "The authors are constantly making code improvements," Malwarebytes researcher Roberto Santos said.

Operators associated with the Lazarus sub-group BlueNoroff have been linked to a series of cyberattacks targeting small and medium-sized companies worldwide with an aim to drain their cryptocurrency funds, in what's yet another financially motivated operation mounted by the prolific North Korean state-sponsored actor. Russian cybersecurity company Kaspersky, which is tracking the intrusions under the name "SnatchCrypto," noted that the campaign has been running since at 2017, adding the attacks are aimed at startups in the FinTech sector located in China, Hong Kong, India, Poland, Russia, Singapore, Slovenia, the Czech Republic, the U.A.E., the U.S., Ukraine, and Vietnam.

From basic financial pump-and-dump schemes to straight-up nation-state cybertheft, nascent crypto markets, and their investors - often with dubious understanding of how they really work - have become prime targets for crypto scammers. North Korean-backed cybercrime groups, including APT 38/Lazarus Group, have turned their talents and resources exclusively toward ripping off crypto markets, according to a new report from Chainalysis.

A North Korean cyberespionage group named Konni has been linked to a series of targeted attacks aimed at the Russian Federation's Ministry of Foreign Affairs with New Year lures to compromise Windows systems with malware. The most recent attacks involved the actor gaining access to the target networks through stolen credentials, exploiting the foothold to load malware for intelligence gathering purposes, with early signs of the activity documented by MalwareBytes as far back as July 2021.

Russian cybersecurity firm Kaspersky attributed the infiltrations to a North Korean hacker group tracked as ScarCruft, also known as APT37, Reaper Group, InkySquid, and Ricochet Chollima. "The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables and Android applications," the company's Global Research and Analysis Team said in a new report published today.

A threat actor with ties to North Korea has been linked to a prolific wave of credential theft campaigns targeting research, education, government, media and other organizations, with two of the attacks also attempting to distribute malware that could be used for intelligence gathering. Policy experts, journalists and nongovernmental organizations were targeted as part of weekly campaigns observed between from January through June 2021, Proofpoint researchers Darien Huss and Selena Larson disclosed in a technical report detailing the actor's tactics, techniques, and procedures, with the attacks spread across North America, Russia, China, and South Korea.

A state-sponsored North Korean threat actor tracked as TA406 was recently observed deploying custom info-stealing malware in espionage campaigns. The phishing emails sent by TA406 commonly use lures about nuclear safety, politics, and Korean foreign policy, while targeting high-ranking elected officials.

Lazarus, the North Korea-affiliated state-sponsored group, is attempting to once again target security researchers with backdoors and remote access trojans using a trojanized pirated version of the popular IDA Pro reverse engineering software. The findings were reported by ESET security researcher Anton Cherepanov last week in a series of tweets.

Lazarus Group, the advanced persistent threat group attributed to the North Korean government, has been observed waging two separate supply chain attack campaigns as a means to gain a foothold into corporate networks and target a wide range of downstream entities. The latest intelligence-gathering operation involved the use of MATA malware framework as well as backdoors dubbed BLINDINGCAN and COPPERHEDGE to attack the defense industry, an IT asset monitoring solution vendor based in Latvia, and a think tank located in South Korea, according to a new Q3 2021 APT Trends report published by Kaspersky.

North Korean-sponsored Lazarus hacking group has switched focus on new targets and was observed by Kaspersky security researchers expanding its supply chain attack capabilities. Lazarus used a new variant of the BLINDINGCAN backdoor to target a South Korean think tank in June after deploying it to breach a Latvian IT vendor in May. "In the first case discovered by Kaspersky researchers, Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload," the researchers said.