North Korean operators are engaged in cyberespionage on several fronts. Recent reports detail what Pyongyang is after an how its spies are pursuing their targets.
DPRK threat actors target C3X and defense sector at large.
Mandiant attributes the C3X exploitation to the Democratic People’s Republic of Korea (DPRK), and Kaspersky specifically attributes it to the Lazarus Group. There is also a campaign against defense sector targets by the Lazarus sub-group DeathNote. It seems to be targeting defense industry targets regardless of their geographic disposition but the US seems to be unaffected.
C3X supply chain attack attributed to DPRK actor.
C3X confirmed on Tuesday that DPRK associated cyber threat actors were behind the supply chain attack on 3CX in late March. (For background please see The CyberWire’s initial report.) In a report from 3CX the company explains that Mandiant was able to attribute the attacks to UNC4736, a cluster Mandiant assesses with high confidence is based out of the DPRK. “Mandiant determined that the attacker infected targeted 3CX systems with TAXHAUL (AKA “TxRLoader”) malware… The malware uses the Windows CryptUnprotectData API to decrypt the shellcode with a cryptographic key that is unique to each compromised host, which means the data can only be decrypted on the infected system. The attacker likely made this design decision to increase the cost and effort of successful analysis by security researchers and incident responders.” Kaspersky argues (with medium to high confidence) that the DPRK-associated Lazarus Group is behind the attacks, as the company’s researchers found the characteristic Gopuram backdoor in use.
A Lazarus sub-group is after defense sector targets
Dark Reading reported on an ongoing remote access Trojan (RAT) campaign being conducted by “DeathNote,” another sub-unit of the DPRK’s Lazarus Group. This campaign seems to be focused on defense sector targets, specifically in the African defense industry, since 2022. DarkReading reports that “DeathNote's campaigns targeting the defense sector have not affected US organizations.” Kaspersky detailed the organization’s infiltration methods, explaining that “DeathNote initially breached the company via a Trojanized, open source PDF reader sent via Skype messenger. Once executed, the PDF reader created a legitimate file and a malicious file in the same directory on the infected machine.” DarkReading explained “it then used a technique known as DLL side loading to install malware for stealing system information and downloaded a sophisticated second-stage remote access Trojan (RAT) called Copperhedge from an attacker-controlled command-and-control server (C2).”
A June 2022 report by ESET noted early signs of the shift. “As early as 2020, ESET researchers had already documented a campaign pursued by a sub-group of Lazarus against European aerospace and defense contractors ESET called operation In(ter)ception. This campaign was noteworthy as it used social media, especially LinkedIn, to build trust between the attacker and an unsuspecting employee before sending them malicious components masquerading as job descriptions or applications.”
(Added, 8:45 PM ET, April 13th, 2023. Christopher Peacock, Principal Detection Engineer at SCYTHE, commented that the shift in targeting probably follows a change in Pyongyang's priorities. “Often governments shift capabilities to address their needs and requirements, so there may have been a strategic shift from targeting crypto businesses for money to more classical espionage attempting to collect defense information.”)