Threat Research

TA444: APT Startup Aimed at Acquisition (of Your Funds) | Proofpoint US

Securonix

TA444 is a North Korea–sponsored threat actor that has tested a wide range of infection methods in 2022 and remains financially motivated, with a strong shift toward cryptocurrency-related theft. The group blends traditional APT techniques with a startup-like approach to tool and infrastructure development, using diversified delivery methods, social engineering, and opportunistic laundering to profit. #TA444 #APT38 #CabbageRAT #Cardinal #DYEPACK #BangladeshBank

Keypoints

  • TA444 is a North Korea–sponsored actor, overlapping with groups such as APT38, Bluеnoroff, BlackAlicanto, Stardust Chollima, and COPERNICIUM, primarily tasked with revenue generation.
  • The group has been financially motivated since at least 2017 and has recently embraced a more aggressive, startup-like posture in late 2022.
  • In 2022, TA444 tried multiple infection methods, including varied file types, with no single payload consistently dominating deliveries.
  • Initial access has included an LNK-based delivery chain and a chain beginning with documents using remote templates, with experimentation across additional file types.
  • TA444 uses a marketing-style approach to lure victims (cryptocurrency analyses, job opportunities, salary changes) and relies on email tools (SendInBlue/SendGrid) and social channels (LinkedIn) for outreach.
  • A notable December 2022 deviation involved credential harvesting via a TA444 C2 domain and OneDrive phishing, including a domain (superiorexhbits[.]com) and phishing redirects, suggesting possible objective shifts or moonlighting activity.

MITRE Techniques

  • [T1566.002] Spearphishing Link – The lure emails enticed users to click a SendGrid URL which redirected to a credential harvesting page. “The lure emails enticed users to click a SendGrid URL which redirected to a credential harvesting page.”
  • [T1566.003] Spearphishing via Service – TA444 has used LinkedIn to engage with victims prior to delivering links to malware. “the threat actor has continued to use LinkedIn to engage with victims prior to delivering links to malware.”
  • [T1023] LNK Files – Initial access included an LNK-oriented delivery chain. “two main avenues of initial access: an LNK-oriented delivery chain and a chain beginning with documents using remote templates.”
  • [T1220] Template Injection – The use of documents with remote templates for initial access. “a chain beginning with documents using remote templates.”
  • [T1204.002] User Execution: Malicious File – First-stage remote templates download the second-stage macro, with macros playing a role in the payload chain. “the first stage remote template files have adapted to not only download the second-stage macro (tracked as Astraeus by Proofpoint)…”
  • [T1041] Exfiltration Over C2 Channel – Exfiltration of data and ongoing readiness to launch further tooling from the C2. “exfiltrating running processes and host information while setting up the potential to launch subsequent tooling loaded from the command-and-control server.”

Indicators of Compromise

  • [Domain] superiorexhbits[.]com – credential-harvesting redirect domain used in a December 2022 campaign
  • [Domain] updatezone[.]org – ET MALWARE TA444 related domain observed in DNS lookup signatures
  • [Email] admin[@]sharedrive[.]ink – envelope-from used in phishing campaigns
  • [File] Password.txt.lnk – lure LNK file name used to initiate execution
  • [File] VHD containing Cur1Agent – first-stage payload artifact observed in TA444 campaigns

Read more: https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds