Threat actors linked to North Korea have accounted for one-third of all the phishing activity targeting Brazil since 2020, as the country’s emergence as an influential power has drawn the attention of cyber espionage groups.
“North Korean government-backed actors have targeted the Brazilian government and Brazil’s aerospace, technology, and financial services sectors,” Google’s Mandiant and Threat Analysis Group (TAG) divisions said in a joint report published this week.
“Similar to their targeting interests in other regions, cryptocurrency and financial technology firms have been a particular focus, and at least three North Korean groups have targeted Brazilian cryptocurrency and fintech companies.”
Prominent among those groups is a threat actor tracked as UNC4899 (aka Jade Sleet, PUKCHONG, and TraderTraitor), which has targeted cryptocurrency professionals with a malware-laced trojanized Python app.
The attack chains involve reaching out to potential targets via social media and sending a benign PDF document containing a job description for an alleged job opportunity at a well-known cryptocurrency firm.
Should the target express interest in the job offer, the threat actor follows it up by sending a second harmless PDF document with a skills questionnaire and instructions to complete a coding assignment by downloading a project from GitHub.
“The project was a trojanized Python app for retrieving cryptocurrency prices that was modified to reach out to an attacker-controlled domain to retrieve a second stage payload if specific conditions were met,” Mandiant and TAG researchers said.
This is not the first time UNC4899, which has been attributed to the 2023 JumpCloud hack, has leveraged this approach. In July 2023, GitHub warned of a social engineering attack that sought to trick employees working at blockchain, cryptocurrency, online gambling, and cybersecurity companies into executing code hosted in a GitHub repository using bogus npm packages.
Job-themed social engineering campaigns are a recurring theme among North Korean hacking groups, with the tech giant also spotting a campaign orchestrated by a group it tracks as PAEKTUSAN to deliver a C++ downloader malware referred to as AGAMEMNON via Microsoft Word attachments embedded in phishing emails.
“In one example, PAEKTUSAN created an account impersonating an HR director at a Brazilian aerospace firm and used it to send phishing emails to employees at a second Brazilian aerospace firm,” the researchers noted, adding the campaigns are consistent with a long-running activity tracked as Operation Dream Job.
“In a separate campaign, PAEKTUSAN masqueraded as a recruiter at a major U.S. aerospace company and reached out to professionals in Brazil and other regions via email and social media about prospective job opportunities.”
Google further said it blocked attempts by another North Korean group dubbed PRONTO to target diplomats with denuclearization- and news-related email decoys to trick them into visiting credential harvesting pages or providing their login information in order to view a supposed PDF document.
The development comes weeks after Microsoft shed light on a previously undocumented threat actor of North Korean origin, codenamed Moonstone Sleet, which has singled out individuals and organizations in the software and information technology, education, and defense industrial base sectors with both ransomware and espionage attacks.
Among Moonstone Sleet’s noteworthy tactics is the distribution of malware through counterfeit npm packages published on the npm registry, mirroring that of UNC4899. The said, the packages associated with the two clusters bear distinct code styles and structures.
“Jade Sleet’s packages, discovered throughout summer 2023, were designed to work in pairs, with each pair being published by a separate npm user account to distribute their malicious functionality,” Checkmarx researchers Tzachi Zornstein and Yehuda Gelb said.
“In contrast, the packages published throughout late 2023 and early 2024 adopted a more streamlined single-package approach which would execute its payload immediately upon installation. In the second quarter of 2024, the packages increased in complexity, with the attackers adding obfuscation and having it target Linux systems as well.”
Regardless of the differences, the tactic abuses the trust users place in open-source repositories, allowing the threat actors to reach a broader audience and increasing the likelihood that one of their malicious packages could be inadvertently installed by unwitting developers.
The disclosure is significant, not least because it marks an expansion of Moonstone Sleet’s malware distribution mechanism, which previously relied on spreading the bogus npm packages using LinkedIn and freelancer websites.
The findings also follow the discovery of a new social engineering campaign undertaken by the North Korea-linked Kimsuky group wherein it impersonated the Reuters news agency to target North Korean human rights activists to deliver information-stealing malware under the guise of an interview request, according to Genians.