North Korean hackers turn to AI-powered cyber espionage

WhatsApp Group Join Now
Telegram Group Join Now
Instagram Group Join Now

April 22, 2024NewsroomCryptocurrency / Artificial Intelligence

State-sponsored cyber actors linked to North Korea have begun using artificial intelligence (AI) to make their operations more efficient and effective, Microsoft has revealed.

“They are learning to use AI Large Language Model (LLM)-powered tools to make their operations more efficient and effective,” the tech giant said in its latest report on hacking groups in East Asia.

The company specifically singled out a group called Emerald Sleet (aka Kimusky or TA427), which has been seen using LLMs to bolster spearheading efforts aimed at specialists on the Korean Peninsula.

The adversary is also said to have relied on the latest advances in AI to research vulnerabilities and spy on North Korea-focused organizations and experts, joining China’s hacking crew, which has gained influence. turned to AI-generated content for operations.

He further employed LLMs to troubleshoot technical issues, do basic scripting work, and draft content for anti-terrorist messages, Redmond said, adding that he threatened actors. Worked with OpenAI to disable accounts and assets associated with

According to a report published last week by enterprise security firm Proofpoint, the group is “initiating soft talks to establish contact with targets for long-term exchange of information on topics of strategic importance to the North Korean government.” Voli is engaged in campaigns.

Kim Suu Kyi’s methods include leveraging figures associated with think tanks and non-governmental organizations to legitimize her emails and increase the likelihood of an attack’s success.

However, in recent months, nation-state actors have begun abusing weak Domain-Based Message Authentication, Reporting, and Conformance (DMARC) policies to spoof various identities and use web beacons for target profiling ( i.e. tracking pixels) can be added. “Agility in adjusting its strategy.”

Web beacons are intended to potentially verify the activation of target emails and to obtain basic information about the recipient’s network environment, including externally visible IP addresses, the host’s user agent, and includes the time the user opens the email.” Proofpoint said.

The development comes as North Korean hacking groups continue to engage in cryptocurrency theft and supply chain attacks, with one threat actor known as Jade Slate linked to an Estonian crypto firm in June 2023 at least. Less than $35 million and more than $125 million from theft. Singapore-based cryptocurrency platform after a month.

Jade Sleet, which overlaps with clusters tracked as TraderTraitor and UNC4899, has also been seen attacking online cryptocurrency casinos in August 2023, with a fake GitHub for cryptocurrency and technology organization employees. Leveraging repos and weaponized npm packages is not mentioned.

In another example, a German-based IT company was compromised in August 2023 by Diamond Slate (aka Lazarus Group) and weaponized a request by a Taiwanese IT firm to launch a supply chain attack in November 2023.

In addition to collecting intelligence on the United States, South Korea and Japan, it primarily generates revenue for its weapons program,” said Clint Watts, general manager of the Microsoft Threat Analysis Center (MTAC). likely to happen.”

The Lazarus group is also notable for using sophisticated methods such as Windows Phantom DLL hijacking and Transparency, Consent, and Control (TCC) database manipulation, in Windows and macOS respectively, to compromise security protections and deploy malware. to do, which contributes to its sophistication and elusive nature, according to Enterprise Security.

The findings come against the backdrop of a new campaign orchestrated by the Kony (aka Vidalia) group that uses Windows Shortcut (LNK) files to deliver malicious payloads.

“The threat actor used a double extension to disguise the original .lnk extension, seen with LNK files containing excessive whitespace to obscure malicious command lines,” Symantec said. “As part of the attack vector, the command-line script searched PowerShell to bypass detection and find embedded files and malicious payloads.


Did you find this article interesting? Follow us. Twitter And LinkedIn to read more exclusive content we post.

WhatsApp Group Join Now
Telegram Group Join Now
Instagram Group Join Now

Leave a Comment