APT38 spoofed financial institutions and venture firms

The North Korean state-sponsored threat group, APT38, has spoofed several financial institutions and venture firms in multiple countries, such as Japan, Vietnam, and the United States.

Based on reports, 74 domains came from five IP addresses, and six malicious files existed in the cluster of cybercriminal activities from September 2022 to March this year.

 

APT38 has an affiliate that executes spoofing attacks against financial firms.

 

According to an investigation, the APT38 cybercriminal operation has overlapped with a threat group called TAG-71. The overlap highlights the group’s spoofing of domains owned by earlier-mentioned countries. In addition, well-known cloud services suffered an attack during the operation.

The investigation also noted that the North Korea-based hacking groups have a history of deploying financially motivated attacks and data breach campaigns on commercial banks, e-commerce systems, and crypto exchanges.

These illegal activities from the threat groups deployed by the DPRK could include the North Korean government’s effort to acquire funds for the regime since it suffers from different sanctions imposed by other countries.

As of now, North Korean advanced persistent threat groups have initiated different campaigns to support their country. The most notable campaign in recent months came from an operation that spoofs venture capital firms.

Furthermore, the APT38 has a history of targeting significant firms, like the international financial transactions cooperative SWIFT and crypto exchanges. The researchers also noted that both campaigns aim to steal funds via spoofed venture capital firms to throw off cybersecurity experts.

Earlier last year, researchers claimed it detected about 18 malicious servers utilised by North Korean threat actors to enable them to deliver malware and heavily impersonate popular cloud services. The spoofing has also reached private investment companies and crypto exchanges to deceive potential victims into accessing malicious content or giving their login details.

These North Korean cybercriminal entities aim to expose banking companies’ sensitive and confidential data to their customers and partners. These tactics could result in legal or regulatory action, compromise business transactions and agreements, or expose data that could damage a company’s credibility. Lastly, some of these campaigns have resulted in extortion.