Executive Summary
This Threat Bulletin is part of PolySwarm’s 2022 Recap series. This report highlights the activity perpetrated by North Korea-based threat actors in 2022.
Key Takeaways
- This report provides highlights of activity perpetrated by North Korea-based threat actors in 2022.
- Threat actors featured in this report include Lazarus Group, BlueNoroff, Reaper, Andariel, Kimsuky, Gwisin, and H0ly Gh0st.
- PolySwarm tracked malware associated with multiple North Korea nexus threat actors in 2022.
2022 North Korea Nexus Threat Actor Activity
Lazarus Group
Lazarus Group, also known as Hidden Cobra and Labyrinth Chollima, is a state-sponsored threat actor group likely affiliated with North Korea’s Reconnaissance General Bureau. The group’s members are reportedly trained in Shenyang, China, in malware and espionage operations. Lazarus is known for espionage activity, disruptive activity, and financially motivated attacks. Lazarus Group was extremely active in 2022.
Activity
- In early 2022, a Lazarus Group campaign targeting cryptocurrency was brought to light. TTPs used in the campaign included spearphishing, social engineering the victims, and coaxing them to download trojanized cryptocurrency applications belonging to the TraderTraitor family of malware.
- In January 2022, Lazarus Group targeted the chemical and IT sectors with a campaign using fake job offers to lure victims into clicking malicious links or opening malicious attachments.
- In January, Lazarus Group stole $120 million USD in crypto tokens from the BadgerDAO DeFi platform.
- In early 2022, Lazarus Group was implicated in the theft of $540 million USD from Axie Infinity’s Ronin Network.
- Between February and July 2022, Lazarus Group engaged in a campaign targeting energy sector entities in the US using the Log4Shell vulnerability. They reportedly used MagicRAT, VSingle, and YamaBot in the attacks.
- In mid-2022, Lazarus Group was observed using multiple legitimate, open-source tools to live off the land. In the campaign, Lazarus Group used their ZetaNile and EventHorizon malware to target multiple verticals, including media, defense, IT services, and aerospace. Weaponized but legitimate tools used in the campaign include SSH clients PuTTY and KiTTY, as well as TightVNC Viewer, Sumatra PDF reader, and muPDF/Subliminal Recording installer.
- In November 2022, industry researchers reported on Lazarus Group’s continued use of DTrack backdoor. Lazarus Group has used DTrack since at least 2019. They have recently used DTrack to target education, chemical manufacturing, government, IT, utility, and telecommunications entities in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the US.
- In November, the US Treasury Department stated Lazarus Group uses Tornado Cash to launder money to support North Korea's nuclear weapons program.
- In late 2022, Lazarus Group was observed using signed MacOS malware to target individuals searching for jobs in the IT industry. The malware used in the campaign targets both Intel and Apple silicon. The malware masquerades as a PDF with information on Coinbase jobs.
- The group was also observed using fake cryptocurrency apps to deliver a fresh variant of AppleJeus malware. The campaign targets cryptocurrency users and organizations.
BlueNoroff
BlueNoroff, also known as Stardust Chollima, is a North Korean threat actor group that is likely an offshoot of Lazarus Group. BlueNoroff is known for financially motivated activity, targeting banks, casinos, cryptocurrency exchanges, ATMs, and SWIFT endpoints.
Activity
- In early 2022, industry researchers reported on a financially motivated BlueNoroff campaign targeting small and medium size companies associated with cryptocurrency, DeFi, and the blockchain.
Reaper
Reaper, also known as APT37, Scarcruft, and Ricochet Chollima, is a North Korean threat actor group. Reaper has been active since at least 2012. Some industry researchers assess Reaper to be a subset of Lazarus Group. Reaper typically focuses on espionage and targets entities in South Korea. Other victim locations have included Japan, Vietnam, Russia, Nepal, China, India, Romania, and Kuwait.
Activity
- In early 2022, Reaper was observed operating a spearphishing campaign targeting journalists. The threat actors used GOLDBACKDOOR to infect Windows systems in this campaign.
- In mid-2022, Reaper was observed targeting high-value organizations in the Czech Republic, Poland, and other European countries using Konni. Konni is a RAT used to establish persistence on a victim device and perform privilege escalation.
- In late 2022, Reaper was observed using Dolphin, a backdoor malware, to target mobile devices. The threat actors used Dolphin alongside Bluelight, a basic reconnaissance tool. Dolphin is written in C++ and uses Google Drive for C2. While Dolphin infects Windows devices, it goes a step further, searching for connected phones using the Windows Portable Device API.
- A campaign using lures exploiting the Seoul Yongsan Itaewon incident was also attributed to Reaper. The campaign leveraged a zero-day vulnerability in the Jscript engine.
Andariel
Andariel, also known as Stonefly, Silent Chollima, and DarkSeoul, is a North Korean threat actor group that is reportedly an offshoot of Lazarus Group.
Activity
- In mid-2022, the FBI, CISA, and the Department of the Treasury released an advisory on North Korean state-sponsored threat actor activity targeting the healthcare and public health (HPH) sector. The advisory stated the FBI had been monitoring multiple Maui ransomware incidents targeting healthcare services. The activity was attributed to Andariel.
- Another campaign in 2022 attributed to Adariel targeted an engineering organization associated with the energy and military sectors. This campaign leveraged the Log4j2 exploit and Adariel’s own Preft backdoor.
Kimsuky
Kimsuky, also known as Thallium, Velvet Chollima, and Black Banshee, is yet another North Korean threat actor group thought to be an offshoot of Lazarus Group. The group has been very active in 2022. Kimsuky typically conducts espionage. Targets have included government employees, think tanks, academics, and human rights organizations.
Activity
- In early 2022, Kimsuky was observed targeting journalists and diplomatic and academic entities in South Korea using the GoldDragon cluster.
- Also, in early 2022, Kimsuky was observed using BabyShark, a VisualBasic script-based malware family.
- In October, Kimsuky was observed using three Android malware strains to target individuals in South Korea. The malware families were dubbed FastFire, FastViewer, and FastSpy.
- In late 2022, Kimsuky’s AppleSeed backdoor targeted nuclear power plant-related entities.
- In late 2022, Kimsuky was also observed engaging in a unique campaign targeting foreign experts to trick them into writing research. Kimsuky pretended to be affiliated with the legitimate 38 North think tank.
Gwisin
A threat actor known as Gwisin is associated with GwisinLocker ransomware. The group has been active since at least 2021. Gwisin means “ghost” or “spirit” in Korean. The group uses double extortion tactics. While the threat actor group’s location is unknown, industry researchers speculate the group may be of North Korean nexus.
Activity
- In mid-2022, Gwisin was observed using GwisinLocker to target multiple verticals in South Korea, compromising both Windows and Linux devices.
H0ly Gh0st
H0ly Gh0st, also known as DEV-0530, has been a financially motivated threat actor active since at least 2021. The group has targeted education, manufacturing, financial, and event management entities with H0ly Gh0st ransomware.
Activity
- New variants of H0ly Gh0st were observed as recently as May 2022.
Tracking North Korea Nexus Threat Actor Activity With PolySwarm
PolySwarm tracked malware associated with the following North Korea nexus threat actors in 2022:
- Lazarus Group
- Kimsuky
- Reaper
- Andariel
- Gwisin
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io for more information and IOCs of related samples in our data set.| Check out our blog | Subscribe to our reports