A previously unknown, financially motivated North Korea state-sponsored threat actor has been observed testing several infection methods in the wild while adhering to a ‘startup’ culture mentality.
The findings come from security researchers at Proofpoint, who called the group TA444 and said it has been active in its current form of targeting cryptocurrency exchanges since at least 2017.
According to an advisory published earlier today, the group then adopted an upstart mentality at the end of 2022.
“Equally as surprising as the variance in delivery methods is the lack of a consistent payload at the end of the delivery chains,” reads the advisory from senior threat researcher Greg Lesnewich and the Proofpoint threat research team.
“When other financially-oriented threat actors test delivery methods, they tend to load their traditional payloads; this is not the case with TA444. This suggests […] an embedded, or at least a devoted, malware development element alongside TA444 operators.”
Further, Proofpoint said they noticed a complete marketing strategy designed by TA444 to increase its annual recurring revenue (ARR) potential.
“It all starts with crafting lure content that may be of interest or necessity to the target. These can include analyses of cryptocurrency blockchains, job opportunities at prestigious firms, or salary adjustments.”
In terms of tools used during the attacks, Lesnewich wrote TA444 used “an impressive set of post-exploitation backdoors in its history.”
The list includes msoRAT, Cardinal, the Rantankba suite, Cheesetray and Dyepack, alongside passive backdoors, virtualized listeners and browser extensions to facilitate theft.
“While we may poke fun at its broad campaigns and ease of clustering, TA444 is an astute and capable adversary that is willing and able to defraud victims for hundreds of millions of dollars,” Proofpoint wrote.
“TA444 and related clusters are assessed to have stolen nearly $400m […] worth of cryptocurrency and related assets in 2021. In 2022, the group surpassed that value in a single heist worth over $500m, gathering more than $1bn during 2022.”
The Proofpoint report comes days after the US Federal Bureau of Investigation (FBI) confirmed that North Korea’s Lazarus Group was behind the $100m theft from cryptocurrency firm Harmony.