November 1, 2024

by Jonathan Greig
According to new research, North Korean hackers are impersonating financial institutions, venture capitalists, and Japanese firms located in the United States.

Recorded Future’s Insikt Group claims that the campaign is linked to APT38. APT38 is a North Korean government-sponsored organization known for its high-profile attacks against cryptocurrency firms.

Researchers found 74 domains that resolved to 5 IP addresses as well as 6 malicious files within the latest cluster, which spanned between March 2023 and September 2022. Insikt Group’s previous report on overlapping activities attributed to TAG71 highlighted TAG-71’s spoofing popular cloud services as well as domains of financial firms from Japan, Taiwan and the United States.

The Record, a publication of Recorded Future, is a unit that has its own editorial independence.

The report noted that North Korean hackers have long histories of targeting cryptocurrency exchanges and commercial banks as well as e-commerce websites for financial gain.

These campaigns will allow the North Korean regime to continue raising funds, despite the fact that it is still under international sanctions.

Mitch Haszard, a researcher at Insikt Group, noted that recent campaigns focused primarily on creating fake venture capital companies. APT38 had previously been targeting SWIFT, cryptocurrency exchanges and other financial institutions.

He said that both have the same goal, which is to steal money. But spoofing venture-capital firms was something different and new.

Researchers claim that hackers from North Korea used 18 malicious servers to distribute malware in March of 2022. By heavily spoofing popular cloud service, cryptocurrency exchanges and private investment firms, potential victims were duped into clicking malicious links or entering their login details.

The group targets investment banks and venture capitalists in order to reveal “sensitive or confidential data of these entities, their clients, which could lead to legal or regulatory actions, compromise pending agreements or business negotiations, or expose information that is detrimental to strategic investment portfolios of companies.”

The Insikt Group discovered three additional IP addresses that were associated with this group between January 2023 and March 2023.

Some of the addresses were associated with software for document sharing, such as “docshare” or “autoprotect”, while others appeared to belong to financial institutions in Japan, Vietnam and the United States.

Researchers at Kaspersky have linked several IP addresses with another hacking group that is motivated by money.

Researchers predict that North Korea will continue to launch financially-motivated attacks due to crippling sanctions.

You may have missed

Fire Department: Contractor who used illegal torches ignited massive NYC fire that injured 14.

Fire Department: Contractor who used illegal torches ignited massive NYC fire that injured 14.

December 23, 2023
Timaru is hit by a severe hailstorm, which causes flooding and forces businesses to shut down.

Timaru is hit by a severe hailstorm, which causes flooding and forces businesses to shut down.

December 22, 2023
Argentina: A roof collapses due to a storm, leaving 13 people dead

Argentina: A roof collapses due to a storm, leaving 13 people dead

December 22, 2023
Madison couple worried that tornadoes will drive neighbors away

Madison couple worried that tornadoes will drive neighbors away

December 22, 2023
After collapsing, Pinellas County condominium was lifted by crane

After collapsing, Pinellas County condominium was lifted by crane

December 21, 2023
Virginia Storm Damage: Tree crashes into Henrico home

Virginia Storm Damage: Tree crashes into Henrico home

December 12, 2023