Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations

Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations

This blog entry reveals North Korea’s prominent role in cybercrime, specifically highlighting how the Void Dokkaebi actor employs Russian IP addresses and anonymization networks to facilitate its malicious activities. Trend Research points to several Russian IP ranges used for these cyber crime campaigns which include social engineering aimed at IT professionals to steal cryptocurrency. The analysis concludes with the need for security measures to counteract these threats. Affected: North Korea, IT professionals, cryptocurrency services, software development sector.

Keypoints :

  • North Korea’s cybercrime operations are increasingly facilitated by Russian IP address ranges.
  • Void Dokkaebi, also known as Famous Chollima, orchestrates campaigns to steal cryptocurrency.
  • IT professionals in various countries, including Ukraine, US, and Germany, are targeted through social engineering tactics.
  • Common tactics used include fake job postings that lure victims into malicious tasks.
  • Anonymization networks, including VPNs and RDP, are exploited to obscure the origin of attacks.
  • Recent operations tied to North Korean actors have been tracked back to specific Russian towns such as Khasan and Khabarovsk.
  • Instructional videos found suggest collaboration with other conspirators outside North Korea.
  • Beavertail malware is linked to various campaigns that attempt to exploit cryptocurrency assets.

MITRE Techniques :

  • TA0001: Initial Access – North Korean actors use social engineering through fictitious job applications to lure victims into executing malicious tasks.
  • TA0002: Execution – Malicious code is executed when victims download and run scripts under the guise of job tasks.
  • TA0007: Discovery – Threat actors gain information on the victim’s systems and sensitive data potentially linked to cryptocurrency wallets.
  • TA0008: Lateral Movement – Use of RDP services allows movement across multiple VPS servers to evade detection.
  • TA0009: Collection – Theft of sensitive financial data, including cryptocurrency wallet information.
  • TA0057: Fallback Channels – Use of anonymization services like Astrill VPN to obscure attack origins.

Indicator of Compromise :

  • IP Address: 80.237.84.0/24 (Khasan, Russia)
  • IP Address: 80.237.87.0/24 (Khasan, Russia)
  • IP Address: 188.43.136.0/24 (Khabarovsk, Russia)
  • IP Address: 188.43.33.249 (suspected North Korean activity)
  • Domain: BlockNovas[.]com (fictitious company used in schemes)

Full Story: https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html