North Korean hackers target cryptocurrency with malware

SentinelLabs has identified a new cyber campaign by the North Korean state-sponsored threat actor group BlueNoroff, targeting cryptocurrency-related businesses with multi-stage malware.

The campaign, titled 'Hidden Risk', involves the use of email and PDF lures containing fake crypto news headlines to infiltrate organisations within the crypto industry. SentinelLabs attributes this activity to the same actor responsible for previous attacks such as RustDoor/ThiefBucket and RustBucket campaigns.

North Korean-affiliated threat actors have long targeted cryptocurrency businesses, aiming either to steal funds or install backdoor malware. The latest campaign was first observed in October 2024; however, evidence suggests it may have begun as early as July 2024. The malware is delivered via phishing emails disguised as links to PDFs on crypto-related topics such as "Hidden Risk Behind New Surge of Bitcoin Price" and "Altcoin Season 2.0-The Hidden Gems to Watch."

The emails impersonate genuine individuals from unrelated industries, purportedly forwarding messages from well-known crypto social media influencers. In a key instance, the threat actors replicated a legitimate research paper titled "Bitcoin ETF: Opportunities and Risks" by a University of Texas academic, hosted by the International Journal of Science and Research Archive (IJSRA).

Notably, unlike previous BlueNoroff campaigns, Hidden Risk uses unsophisticated phishing emails, devoid of personal or contextually relevant information. The observed sender domain, kalpadvisory[.]com, is linked to spam in online communities related to the Indian stock market.

SentinelLabs highlights that while North Korean cyber actors have previously engaged in extensive target grooming on social media, the Hidden Risk campaign employs a more straightforward phishing strategy. Despite its crude approach, the campaign retains hallmarks of previous DPRK-backed operations in terms of malware artefacts and network infrastructure.

Researchers speculate that increased scrutiny of earlier DPRK campaigns could have made such social media tactics less effective due to growing vigilance among the targets, particularly within DeFi, ETF, and other crypto sectors. However, the state-backed actors are likely equipped to deploy multiple strategies simultaneously.

Consistently, many campaigns demonstrate the threat actors' ability to obtain valid Apple 'identified developer' accounts, achieve malware notarisation by Apple, and circumvent macOS Gatekeeper and other security measures. Accordingly, SentinelLabs urges all macOS users, particularly those in organisations, to enhance their security defences and remain alert to potential threats.

SentinelOne is a provider of autonomous security solutions for endpoint, cloud, and identity environments. Founded in 2013 by a team of cybersecurity and defense experts, SentinelOne hone in on endpoint protection with a new, AI-powered approach. The company's platform unifies prevention, detection, response, remediation, and forensics in a single, easy-to-use solution. The endpoint security product is designed to protect an organisation's endpoints from known and unknown threats, including malware, ransomware, and APTs. It uses artificial intelligence to continuously learn and adapt to new threats, providing real-time protection and automated response capabilities.