While the infamous Lazarus Group is the best-known North Korean state-sponsored hacking group, it is not the only threat actor operating from the country, says a new report.
Samczsun, a Research Partner at the crypto investment firm Paradigm, listed several threat actors targeting organizations and individuals abroad.
Two groups – Contagious Interview and Wagemole – have been identified as operating in the IT employee "hiring" field. For example, Contagious Interview is said to pose as recruiters for well-known companies to lure developers into fake job interviews, tricking them into downloading malware that can steal, for example, crypto assets.
Meanwhile, criminals from Wagemole attempt to get hired by foreign companies themselves to leverage system access and steal company assets. According to Samczsun, in some cases, operatives have remained embedded within victim organizations for up to a year before causing real damage.
The next threat actor on the list is AppleJeus, which is primarily focused on distributing malware via legitimate-looking software such as trading applications or cryptocurrency wallets. It specializes in supply chain attacks.
Another group, Dangerous Password, focuses on low-sophistication social engineering-based attacks within the crypto industry. These threat actors are still sending phishing emails but have also evolved to use other platforms, such as Telegram.
"Additionally, users report being contacted by individuals impersonating journalists and investors who ask to schedule a call using an obscure video conferencing app," the researcher said, noting that these apps are designed to spread malware.
TraderTraitor is the last group on the list and, according to Samczsun, "is the most sophisticated [Democratic People's Republic of Korea] threat actor targeting the cryptocurrency industry."
This group primarily targets crypto exchanges and other companies with large reserves, using highly sophisticated spear-phishing techniques against its victims.
"In the case of the Axie Infinity hack, TraderTraitor reached out to a senior engineer via LinkedIn and successfully convinced them to go through a series of interviews before sending an ‘offer’ that delivered the malware," the report said, urging vigilance and awareness of social engineering tactics. Organizations should also apply the Principle of Least Privilege where possible.
Meanwhile, a separate report by the cybersecurity firm Sekoia examined an ongoing malicious campaign, dubbed ClickFake Interview, that targets crypto job seekers with fake job interview websites. This campaign is attributed to Lazarus.
"ClickFake Interview leverages fake job interview websites to deploy a Go backdoor – GolangGhost – on Windows and macOS environments using the now infamous ClickFix tactic," Sekoia said.
The company reported that it examined 184 different invitations retrieved from fake interview websites and found 14 well-known companies used to lure victims. These include Coinbase, Ripple, KuCoin, Kraken, Chainalysis, and more.
Your email address will not be published. Required fields are markedmarked