North Korea’s piracy group aims to developers with a new fraud to employ jobs that pump harmful programs to steal information in the victim’s system.
According to Modern report From Palo Alto Networks to Palo Alto Networks, it was the tumor piracy collection, known via borrowed names such as slow whale, jade Olit, Pukchong, Tradertraitor or Unc4899, forming recruits on LinkedIn.
Once the connection is made, the developers are lured with fake work offers, followed by a routine coding test.
But the hidden in these projects hosted by GitHub is a set of tools for the quietly harmful programs of the victim.
Initially, candidates are required to run a file similar to a simple programming task, but as soon as it is implemented on the victim’s system, it runs harmful programs called RN Loader that sends system information to the attacker.
If the target is checked, a car load is published from the second stage, RN Stealer, which can increase everything from the SSH and iCloud data to Kubernetes and AWS formations.
What makes this campaign particularly dangerous is its hidden nature, as harmful programs are only active under certain circumstances, such as IP address or system settings, which makes it difficult for researchers to discover them.
It also works entirely in memory, leaving very little of the digital fingerprint.
The slow whale has been linked to the prominent thefts, including the $ 1.4 billion BIBB exploitation this year.
The group’s tactics have not changed much over time, which unit 42 says may be due to the success and target of its methods.
“Before penetration by Bybit, there was little detailed awareness and reporting the campaign in the open sources, and therefore it is possible that the threat representatives do not need change,” said Andy Piaza, director of the intelligence threat company in Unit 42.
Instead, representatives of threats improved their operational security according to researchers, and they were seen using the yaml and JavaScript tricks to hide harmful orders.
“Focusing on individuals contacted via LinkedIn, unlike broad hunting campaigns, allows the group to control tightly in the subsequent stages of the campaign and provide only loads to expected victims,” added the Prashil Pattni security researcher.
North Korean infiltrators target information technology professionals
North Korea’s piracy groups were responsible for some of the largest Internet stones through the encryption sector.
Data from Arkham Intelligence shows that a wallet linked to the Lazarus Group in North Korea has held more than $ 800 million of Bitcoin at the time of reports.
Report from the Google That Intelligence Group collection Absolute Earlier this month, I noticed an increase in North Korea IT companies who infiltrate technology and encryption companies, especially throughout Europe.
Last year, Invezz reported that two groups of piracy with borrowed names from Sapphire Sleet and Ruby Sleet were responsible for heavy losses in the encryption space.
Poor actors were found to impersonate recruits and investors, and even employees of the targeted companies to get rid of primary security checks and harmful programs for the factory.
SAPPHIRIIREEET focused greatly on encryption companies and managed to transfer at least $ 10 million to North Korea within six months.
