North Korea-linked malicious actors have been responsible for a third of all phishing activity targeting Brazil since 2020, as the country’s emergence as an influential power has attracted the attention of cyber espionage groups.
“Actors backed by the North Korean government have targeted the Brazilian government and the Brazilian aerospace, technology, and financial services sectors,” Google’s Mandiant and Threat Analysis Group (TAG) divisions said. said in a joint report released this week.
“Similar to targeting interests in other regions, cryptocurrency and fintech companies have come under particular scrutiny, and at least three North Korean groups have targeted Brazilian cryptocurrency and fintech companies.”
Among these groups is a threat actor tracked as UNC4899 (aka Jade Sleet, PUKCHONG, and TraderTraitor), which targeted cryptocurrency professionals with a trojanized Python application containing malware.
The attack chains involve contacting potential targets via social media and sending a harmless PDF document containing a job description for a supposed job opportunity at a well-known cryptocurrency company.
If the target expresses interest in the job posting, the malicious actor sends them a second, harmless PDF document containing a skills questionnaire and instructions to complete a coding task by downloading a project from GitHub.
“The project was a trojanized Python application to retrieve cryptocurrency prices that was modified to reach an attacker-controlled domain to retrieve a second-stage payload if specific conditions were met,” Mandiant and TAG researchers said.
This isn’t the first time UNC4899, which was attributed to the 2023 JumpCloud hack, has used this approach. In July 2023, GitHub warned of a social engineering attack that sought to trick employees working at blockchain, cryptocurrency, online gambling and cybersecurity companies into running code hosted in a GitHub repository using fake npm packages.
Job-targeted social engineering campaigns are a recurring theme among North Korean hacking groups, with the tech giant also spotting a campaign orchestrated by a group it tracks under the name PAEKTUSAN to distribute a C++ downloader malware called AGAMEMNON via Microsoft Word attachments embedded in phishing emails.
“In one example, PAEKTUSAN created an account impersonating a human resources manager at a Brazilian aerospace company and used it to send phishing emails to employees at a second Brazilian aerospace company,” the researchers noted, adding that the campaigns are consistent with long-standing activity tracked as Operation Dream Job.
“In a separate campaign, PAEKTUSAN posed as a recruiter for a major U.S. aerospace company and contacted professionals in Brazil and other regions via email and social media about potential job opportunities.”
Google also said it had blocked attempts by another North Korean group dubbed PRONTO to target diplomats with denuclearization- and news-related email lures to trick them into visiting credential-collection pages or providing their login information to view a purported PDF document.
The development comes weeks after Microsoft shed light on a previously undocumented North Korean threat actor named Moonstone Melted Snowwhich targeted individuals and organizations in the software and information technology, education, and defense industrial base sectors with ransomware and espionage attacks.
Notable tactics of Moonstone Sleet include distributing malware via counterfeit npm packages. published on the npm registrymirroring that of UNC4899. That said, the packages associated with the two clusters have distinct code styles and structures.
“The Jade Sleet packages, discovered throughout the summer of 2023, have been designed to work in pairs“each pair being published by a separate npm user account to distribute their malicious functionality,” Checkmarx researchers Tzachi Zornstein and Yehuda Gelb said. said.
“In contrast, packages released in late 2023 and early 2024 took a more streamlined, single-package approach that would execute its payload immediately after installation. During Q2 2024, the packages became more complex, with attackers adding obfuscation and also targeting Linux systems.”
Despite the differences, this tactic abuses the trust that users place in open source repositories, allowing threat actors to reach a wider audience and increasing the likelihood that one of their malicious packages could be inadvertently installed by unwitting developers.
This revelation is significant, particularly because it marks an expansion of Moonstone Sleet’s malware distribution mechanism, which previously relied on distributing fake npm packages via LinkedIn and independent websites.
The results also follow the discovery of a new social engineering campaign undertaken by groups linked to North Korea Kimsuky Group in which he impersonated the Reuters news agency to target North Korean human rights activists in order to distribute information-stealing malware under the guise of an interview request, according to Genians.