North Korea's TA444 Group Steals Credentials with Phishing Emails and Malware-Laced Attachments

Feb 24, 2023 12:39:51 PM
A lady facing red coloured authoritarian city scape.
North Korean nation-state group TA444 - also known as APT38, BlueNoroff, Copernicium, and Stardust Chollima - has shifted its focus to a new wave of malicious email attacks aimed at harvesting credentials. The group, which is financially motivated and generates illicit revenue for North Korea, was identified by Proofpoint, a cybersecurity company. According to a report by the company, TA444 uses phishing emails with malware-laced attachments to ensnare victims, using tactics such as blockchain-related lures, fake job opportunities, and salary adjustments. The group is also observed expanding the functionality of CageyChameleon to profile victims while maintaining a wide arsenal of post-exploitation tools.
The recent wave of attacks, which targeted verticals such as education, government, and healthcare in the U.S. and Canada, have witnessed a deviation from its traditional tactics, as the phishing emails redirected recipients to a credential harvesting page. The email blast was distributed using email marketing tools like SendGrid. The reason for the shift in strategy is not immediately clear, but it could be a way for the group to pivot beyond its traditional targets or the possibility of another threat actor hijacking its infrastructure.
TA444 is considered a unicorn among state-sponsored groups, as its operations are financially motivated and geared towards generating illicit revenue for the North Korean regime, as opposed to espionage and data theft. In 2022, TA444 adopted a startup mentality and turned its focus to cryptocurrency, with the FBI accusing BlueNoroff actors of stealing $100 million in cryptocurrency from Harmony Horizon Bridge in June 2022. The group remains engaged in using cryptocurrency as a vehicle to provide usable funds to the regime and is rapidly ideating new attack methods.
Proofpoint suggests that TA444 is testing a variety of infection chains to help expand its revenue streams, and the group has taken to mimicking the cybercrime ecosystem. TA444 has tested numerous infection methods in 2022, with varying degrees of success, and has embraced social media as part of its modus operandi. The group has been active in targeting cryptocurrencies since at least 2017 and has two main avenues of initial access: an LNK-oriented delivery chain and a chain beginning with remote template documents. In 2022, TA444 continued to use these methods but also tried new file types for initial access, mirroring the cybercrime landscape.

In summary

TA444 is a startup-minded threat actor that is devoted to the dollar and the grind, taking the startup culture's mantras of rapid iteration, testing products, and failing forward to the heart. The group's primary operations are financially motivated and its infection chains often mirror the cybercrime threat landscape at large. The group's focus on cryptocurrency has made it a leader in North Korea's efforts to generate cash flow for the regime.
Ultimately, TA444 is a money-driven North Korean governing body that has recently begun to target credential harvesting. This shift in tactics suggests there might be an effort underway for additional revenue streams. The group's consistent activity and experimentation with new infection procedures make it especially dangerous for organizations from different industries alike.
To protect against these attacks, a multi-layered approach to cyber security is crucial in today's digital landscape. A comprehensive strategy should include regular supply chain vulnerability scans, firewalls, encryption, and user training. Cyberframe can support your organization in the implementation of a robust defence system, by providing a detailed analysis of your organization's whole supply chain network and insights of existing vulnerabilities to prevent your assets from being damaged.
With the constant threat of cyber attacks, it is important to stay ahead of the curve and protect sensitive data and systems from harm. By implementing a multi-layered security approach and working with a trusted partner like Cyberframe, you can focus on your core business - knowing that your assets are safe from cybercrime. Securing your assets has never been so easy.
Visit to learn more.