Korea Focus on targeting financial institutions and cryptocurrency exchanges. Use of social media, supply chain attacks, trojanised apps, lure and decoy.
In the specific attack, the attackers got in touch with their target on October 19, 2022 Created a secondary Telegram group with the name <NameOfTheTargetedCompany> <> OKX Fee Adjustment> and invited three employees Used fake profiles with details from employees of the company OKX
on the fees to appear legitimate with the name: “OKX Binance & Huobi VIP fee comparision.xls” Used the fee structure discussion as an opportunity to ask the target to open the weaponized Excel file and fill in their information
UserForm to store data and variables and drops a second malicious Excel file. The second file retrieves a PNG file that contains two executable files and an encrypted backdoor, which are parsed by the macro.
on the targeted machine. All strings and API calls are obfuscated using a custom algorithm. The network request follows this pattern: GET hxxps://strainservice[.]com/resources?a=1666860077&v=1666527365
The North Korea government has long term interest in the financial industry with more recently a focus on the crypto currency market The target is a crypto currency investment funds which has been DPRK’s targets of interest as reported by the Financial Services Agency of Japan The attackers are using various techniques, such as packaging fake crypto apps in MSI format, exploiting VBA userform, employing DLL side loading, and using the AppleJeus Malware for their attacks. North Korean attackers exploit social media platforms like LinkedIn, Twitter, and Telegram to target victims and create fake websites that appear to be legitimate cryptocurrency organizations.