Insights, news, education and announcements from PolySwarm

2023 Recap - Threat Actor Activity Highlights - North Korea

Written by The Hivemind | Dec 15, 2023 6:37:07 PM

Executive Summary

Several high-profile North Korea nexus threat actor groups have been active in 2023. Reported activities include but are not limited to supply chain attacks, targeting of cryptocurrency, and proliferation of MacOS malware. In this report, PolySwarm highlights cyber activity perpetrated by North Korea nexus threat actor groups in 2023.

IOCs
4f6690b82ca4b1f5735386729c4a04161e2cda9443cab700279eb583d9d21f70 PolyScore 0.97 TM

C7f4aa77be7f7afe9d0665d3e705dbf7794bc479bb9c44488c7bf4169f8d14fe PolyScore 0.95 TM

 

Key Takeaways

  • Several high-profile North Korea nexus threat actor groups have been active in 2023.
  • Some of their reported activities include supply chain attacks, targeting of cryptocurrency, and proliferation of MacOS malware.
  • High-profile North Korean threat actors active in 2023 include Labyrinth Chollima, Stardust Chollima, Ricochet Chollima, Velvet Chollima, and Silent Chollima. 
  • Samples of a newer variant of RustBucket, which targets MacOS systems, are featured in the IOCs section.  

 

2023 Activity Highlights

Labyrinth Chollima

Labyrinth Chollima, also known as Hidden Cobra, Diamond Sleet, APT38, and Lazarus Group, is a state-sponsored threat actor group likely affiliated with Bureau 121 of North Korea’s Reconnaissance General Bureau. The group’s members are reportedly trained in Shenyang, China, in malware and espionage operations. Labyrinth Chollima is known for espionage activity, disruptive activity, and financially motivated attacks. 

Activity

  • In Junarury 2023, Labyrinth Chollima weaponized a backdoored UltraVNC client. The compromised client exfiltrated data and installed Blindincan, a RAT.  
  • In early 2023, a supply chain attack on business phone provider 3CX was attributed to Labyrinth Chollima.
  • In June, three separate attacks on cryptocurrency platforms occurred and were later attributed to Labyrinth Chollima. These attacks targeted Atomic Wallet, Alphapo, and CoinsPaid. 
  • In July, Labyrinth Chollima was observed targeting the IT management company JumpCloud and using access to target cryptocurrency companies. 
  • In September, the group reportedly attacked an aerospace company in Spain using LightlessCan backdoor.
  • The group was observed exploiting a critical vulnerability CVE-2023-42793 in JetBrains TeamCity in October. 
  • The group was observed targeting 3CX. In this supply chain attack, the threat actors targeted both Windows and MacOS versions of 3CX’s desktop application. CVE-2023-29059 was used to track this supply chain compromise. 
  • In November, the group was observed engaging in another supply chain attack. In the campaign, the threat actors used a trojanized version of the legitimate CyberLink app to target customers. The malicious file, which is a trojanized version of the legitimate CyberLink application installer, contains malicious code that downloads and loads a second-stage payload. The campaign began as early as October 2023. 
  • In November, Labyrinth Chollima was also observed using KandyKorn malware to target blockchain engineers. KandyKorn is a novel malware targeting MacOS systems. KandyKorn uses a Python application that poses as a cryptocurrency arbitrage bot. It is delivered via direct messages on a Discord server and uses a multi-stage attack. The malware is atypical in that it attempts to load binaries into memory on MacOS. Following the initial compromise, a stage one dropper is leveraged, followed by Sugarloader (stage 2) and Hloader (stage 3). KandyKorn, the stage 4 payload, is an advanced implant that allows the threat actors to monitor the system, interact with the compromised machine, and evade detection.

 

Stardust Chollima

Stardust Chollima, also known as BlueNoroff and Sapphire Sleet, is a North Korean threat actor group that is likely an offshoot of Lazarus Group. They are thought to be affiliated with Bureau 121 of the DPRK’s Reconnaissance General Bureau. The group is known for financially motivated activity, including targeting banks, casinos, cryptocurrency exchanges, ATMs, and SWIFT endpoints.

Activity

  • In May, Stardust Chollima was observed using malware to target MacOS systems. Dubbed RustBucket, the malware can be used to communicate with the C2 to download and execute additional payloads. 
  • They were observed leveraging new TTPs to bypass Windows Mark of the Web (MotW) protections. The novel infection chain leveraged .ISO and .VHD file formats. The threat actors also used a new downloader, new scripts, and living off the land techniques in the campaign. 
  • In November, industry researchers reported on Stardust Chollima’s use of ObjCShellz, which is part of the RustBucket campaign.
  • In December, industry researchers reported on a new variant of RustBucket. 

 

Ricochet Chollima

Ricochet Chollima, also known as APT37, Scarcruft, and Reaper, is a North Korean threat actor group. Reaper has been active since at least 2012. Some industry researchers assess them to be a subset of the Lazarus Group. They are potentially affiliated with North Korea’s Ministry of State Security. Ricochet Chollima typically focuses on espionage and targets entities in South Korea. Other victim locations have included Japan, Vietnam, Russia, Nepal, China, India, Romania, and Kuwait.

Activity

  • In early 2023, Ricochet Chollima was observed using a new Go-based infostealer called SidLevel.
  • In May, industry researchers reported on a campaign in which Ricochet Chollima leveraged RokRAT, a malware family used to target entities in South Korea. RokRAT, also known as DogCall, has been in the wild since at least 2017. There is also a Mac variant of RokRAT, known as CloudMensis, and an Android variant, known as RambleOn. While RokRAT has not changed much over the years, the TTPs used to deliver it have evolved. Since at least January 2022, Ricochet Chollima has been using oversized LNK files to deliver RokRAT. These LNK archives are used to initiate a multistage infection chain to bypass macro blocking. 

 

Velvet Chollima

Velvet Chollima, also known as Kimsuky, Thallium, APT43, Emerald Sleet, and Black Banshee, is yet another North Korean threat actor group thought to be an offshoot of Lazarus Group. They are potentially a part of North Korea’s 5th Bureau. The group typically conducts espionage. Targets have included government employees, think tanks, academics, and human rights organizations. They have engaged in cybercrime activity, including stealing cryptocurrency and then using the proceeds from this illicit activity to fund espionage operations. The group uses a combination of social engineering and moderately sophisticated technical capabilities in its attacks. 

Activity

  • In March 2023, industry researchers reported that Velvet Chollima was using Chrome extensions to steal Gmail emails. 
  • In early 2023, industry researchers reported Velvet Chollima was observed using cybercrime to fund espionage operations. This activity involved stealing and laundering cryptocurrency to purchase infrastructure. 
  • An industry report released in June detailed a Velvet Chollima social engineering campaign targeting experts in North Korean affairs. Part of the campaign involved credential theft. 
  • In November, the US Treasury's Office of Foreign Assets Control (OFAC), in conjunction with counterparts in Australia, Japan, and the Republic of Korea, announced sanctions on eight foreign-based North Korean agents and the Velvet Chollima cyber espionage group. 

 

Silent Chollima

Silent Chollima, also known as Stonefly, Andariel, Onyx Sleet, and DarkSeoul, is a North Korean threat actor group that is reportedly an offshoot of Lazarus Group. 

Activity

  • The group was observed exploiting a critical vulnerability CVE-2023-42793 in JetBrains TeamCity in October. 

Other Activity

  • In February, a joint cyber security advisory warned of the potential for ransomware attacks on critical infrastructure, including healthcare, to be used to fund North Korea’s malicious cyber activities. 

  • Unnamed North Korean threat actors were reportedly observed targeting the Russian government and defense entities. 

RustBucket IOCs

RustBucket is one of the most recently reported malware families used by a high-profile North Korean nexus threat actor group, with a new variant being recently observed. As such, we have chosen to feature Rust Bucket samples in this report.

 

PolySwarm has multiple samples of RustBucket.

 

C9a7b42c7b29ca948160f95f017e9e9ae781f3b981ecf6edbac943e52c63ffc8

C7f4aa77be7f7afe9d0665d3e705dbf7794bc479bb9c44488c7bf4169f8d14fe

4f6690b82ca4b1f5735386729c4a04161e2cda9443cab700279eb583d9d21f70 (associated benign PDF)

 

You can use the following CLI command to search for all RustBucket samples in our portal:

$ polyswarm link list -f RustBucket

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at
 hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.