The Democratic People’s Republic of Korea (“DPRK” aka North Korea) is conducting highly tailored, difficult-to-detect social engineering campaigns against employees of decentralized finance (“DeFi”), cryptocurrency, and similar businesses to deploy malware and steal company cryptocurrency.
North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen. Given the scale and persistence of this malicious activity, even those well versed in cybersecurity practices can be vulnerable to North Korea’s determination to compromise networks connected to cryptocurrency assets. North Korean malicious cyber actors conducted research on a variety of targets connected to cryptocurrency exchange-traded funds (ETFs) over the last several months.
Read more…
Source: U.S. Federal Bureau of Investigation Cyber Division
Related:
- TA505 Gang Is Back With Newly Polished FlawedGrace RAT
October 19, 2021
The TA505 cybercrime group is whirring its financial rip-off machinery back up, pelting malware at a range of industries in what was initially low-volume waves that researchers saw spiral up late last month. They do bad things, but they’re so tricky that tracking them is a ton of fun, said Sherrod DeGrippo, vice president, Threat Research ...
- REvil ransomware operators claim group is ending activity again, victim leak blog now offline
October 19, 2021
Cybercriminals claiming to be part of the REvil ransomware group have alleged that the gang is closing shop after losing control of vital infrastructure and having internal disputes. Recorded Future security expert Dmitry Smilyanets shared multiple messages on Twitter from ‘0_neday’ — a known REvil operator — discussing what happened on the cybercriminal forum XSS. He ...
- LightBasin hacking group breaches 13 global telecoms in two years
October 19, 2021
A group of hackers that security researchers call LightBasin has been compromising mobile telecommunication systems across the world for the past five years. Since 2019, the group hacked into more than a dozen telecommunication companies and maintained persistence through custom malware, to steal data that would serve intelligence organizations. LightBasin is active since at least 2016 and ...
- PurpleFox Adds New Backdoor That Uses WebSockets
October 19, 2021
In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks. We also found a new backdoor written in .NET implanted during the intrusion, ...
- Trickbot module descriptions
October 19, 2021
Trickbot (aka TrickLoader or Trickster), is a successor of the Dyre banking Trojan that was active from 2014 to 2016 and performed man-in-the-browser attacks in order to steal banking credentials. Trickbot was first discovered in October 2016. Just like Dyre, its main functionality was initially the theft of online banking data. However, over time, its ...
- Joint CISA, FBI and NSA Cybersecurity Advisory – BlackMatter Ransomware
October 18, 2021
This joint Cybersecurity Advisory was developed by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) to provide information on BlackMatter ransomware. Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations. This advisory provides information ...

