Full Report
Research from Cisco Talos and Google Threat Intelligence Group underscores the extent to which North Korea-aligned attackers attempt to avoid detection. The post North Korean operatives spotted using evasive techniques to steal data and cryptocurrency appeared first on CyberScoop.
Analysis Summary
# Threat Actor: North Korea-Aligned Threat Actors (Various Groups)
## Attribution & Identity
Attributed to North Korean nation-state actors. Associated groups/naming conventions mentioned in the analysis include:
* **Famous Chollima** (linked to BeaverTail and OtterCookie usage)
* **UNC5342** (linked to EtherHiding and the "Contagious Interview" social engineering campaign)
* The overall activity underscores continuous efforts by North Korea-aligned threat groups.
## Activity Summary
North Korean operatives are using increasingly specialized and evasive malware and techniques to achieve multiple objectives, primarily centered around financial gain and espionage. These attacks often rely on social engineering, particularly targeting job seekers. During fake technical assessments or job interviews, candidates are tricked into downloading malicious files. Recent activity has focused on:
* Stealing credentials and cryptocurrency.
* Deploying ransomware.
* Gaining persistent access to corporate networks for espionage and data theft.
* Employing novel command and control (C2) methods resistant to disruption, such as using public blockchains.
## Tactics, Techniques & Procedures
- **Social Engineering/Deception:** Targeting job seekers via fake job offers and technical assessments to lure them into installing malicious code.
- **Evasive C2:** Utilizing **EtherHiding** (malicious JavaScript payloads) which turns a public blockchain into a decentralized C2 server, allowing remote updates and maintaining control despite potential infrastructure takedowns.
- **Malware Chaining/Progression:** Employing multi-stage infection processes involving multiple malware families (e.g., JadeSnow, BeaverTail, InvisibleFerret).
- **Information Stealing Modules:** Deployment of keylogging and screenshotting modules within malware (specifically observed in OtterCookie samples) to exfiltrate user activity and sensitive data periodically.
- **Evasion:** Employing specialized and evasive malware strains to avoid common detection methods.
## Targeting
- **Sectors:** Corporate networks (general, as part of espionage/theft objectives).
- **Geography:** One specific observed incident linked to Famous Chollima targeted an **undisclosed organization based in Sri Lanka**. The overall scope is likely broader espionage and cybercrime.
- **Victims:** Job seekers who install malware during application processes; undisclosed organizations targeted for data and cryptocurrency theft.
## Tools & Infrastructure
- **Malware Families:**
* **BeaverTail**
* **OtterCookie** (including observed keylogging/screenshot modules)
* **EtherHiding** (malware delivered via JavaScript payloads)
* **JadeSnow**
* **InvisibleFerret**
- **Infrastructure:** Public Blockchains utilized as decentralized C2 infrastructure via EtherHiding, making takedowns difficult. Command and control servers are also used by OtterCookie for receiving stolen screenshots/keystrokes.
## Implications
The adoption of decentralized C2 infrastructure (like using blockchains for EtherHiding) signals an escalation in sophistication, making these threat actor operations more resilient to law enforcement or security takedowns. Their focus on combining financial theft with corporate espionage indicates multiple strategic goals driven by the nation-state.
## Mitigations
- **Vigilance in Hiring/Vetting:** Extreme caution during technical assessments or requests for candidates to download files from external sources.
- **Endpoint Detection & Response (EDR):** Strong EDR capabilities capable of detecting fileless malware and unusual process chains.
- **Network Monitoring:** Monitoring for beaconing or communication attempts targeting public blockchains or unusual C2 infrastructure patterns.
- **Treating Job Seekers as Potential Vectors:** Recognizing that initial access is being achieved via social engineering focused on employment opportunities in high-value organizations.