Microsoft has revealed that state-sponsored cyber attackers linked to North Korea are beginning to use artificial intelligence (AI) to make their operations more effective and efficient.
“They are learning how to use tools powered by AI Large Language Models (LLM) to make their work more efficient and effective,” the tech giant said in its latest report on East Asian hacker groups. I mentioned it in the book.
The company specifically highlighted a group named Emerald Sleet (also known as Kimusky or TA427) that has been observed using LLM to enhance spear-phishing operations targeting professionals on the Korean Peninsula.
Adversaries are also leveraging the latest advances in AI to probe vulnerabilities, spy on North Korea-focused organizations and experts, join hacking teams from China, and deploy AI-generated content. It is said that he used this information to exert influence.
Redmond also employed LLM to troubleshoot technical issues, perform basic scripting tasks and draft content for spear-phishing messages, and worked with OpenAI to identify accounts and assets associated with threat actors. It added that it had been deactivated.
A report released last week by enterprise security firm Proofpoint said the group “conducted innocuous conversations to establish contact with subjects for long-term information exchange on subjects of strategic importance to the North Korean regime.” “I am engaged in a campaign to create opportunities.”
Kimsuky's tactics include using people associated with think tanks and non-governmental organizations to legitimize the emails and increase the chances of a successful attack.
However, in recent months, this nation-state actor has been exploiting lax domain-based message authentication, reporting, and conformance (DMARC) policies, impersonating various personas, and adding web beacons (i.e., tracking pixels) to target profiling. I'm starting to incorporate it. “Agility to adjust tactics”
“Web beacons verify that a targeted email is active and provide basic information about the recipient's network environment, such as the externally visible IP address, the host's user agent, and the time the user opened the email. It could be for initial reconnaissance purposes to get it,” Proofpoint said.
The incident comes as the North Korean hacker group continues its cryptocurrency heists and supply chain attacks, with a threat actor known as Jade Sleet stealing at least 35 million yen from an Estonian cryptocurrency company in June 2023. US dollar and is believed to have been involved in stealing more than $125 million from a cryptocurrency company. One month after the Singapore-based cryptocurrency platform.
Jade Sleet, which overlaps with clusters tracked as TraderTraitor and UNC4899, was also observed attacking online crypto casinos in August 2023, not to mention fake GitHub repositories and weaponized npm packages. Use to identify employees in crypto and technology organizations.
In another example, a Germany-based IT company was compromised by Diamond Sleet (also known as Lazarus Group) in August 2023, which weaponized the Taiwan-based IT company's applications and launched a supply chain attack in November 2023. executed.
Clint Watts, general manager of the Microsoft Threat Analysis Center (MTAC), said: “This is likely to generate revenue primarily for weapons development programs, in addition to intelligence gathering on the United States, South Korea, and Japan.” Ta.
The Lazarus group employs complex techniques such as Windows phantom DLL hijacking and Transparency, Consent, and Control (TCC) database manipulation on Windows and macOS to weaken security protections and deploy malware. known for its sophistication and elusive nature. By Interpres Security.
This discovery comes against the backdrop of a new campaign orchestrated by the Konni (also known as Vedalia) group, which uses Windows Shortcut (LNK) files to deliver malicious payloads.
“We observed that attackers utilize double extensions to hide the original .lnk extension, and that LNK files contain excessive white space to hide malicious command lines. ” said Symantec. “As part of the attack vector, the command line script searched her PowerShell to evade detection and identify embedded files and malicious payloads.”