Financially Motivated North Korea State-Sponsored Threat Actor TA444
A newly discovered threat actor, known as TA444, has been identified by security researchers at Proofpoint. This North Korea state-sponsored group has been actively targeting cryptocurrency exchanges since 2017, but recently shifted its focus to adopting a startup culture mentality.
According to Proofpoint’s advisory, TA444 has been testing various infection methods in the wild, displaying a lack of consistent payload at the end of delivery chains. This suggests a dedicated malware development element within the group, as they continuously evolve their tactics to evade detection.
Marketing Strategy and Tools
Proofpoint researchers have observed TA444 implementing a complete marketing strategy to increase its annual recurring revenue potential. The group crafts lure content tailored to the interests of their targets, such as blockchain analyses, job opportunities, or salary adjustments. This approach has proven successful in facilitating their malicious activities.
TA444 utilizes an impressive set of post-exploitation backdoors, including msoRAT, Cardinal, Rantankba suite, Cheesetray, and Dyepack. These tools, along with passive backdoors, virtualized listeners, and browser extensions, enable the group to carry out theft operations efficiently.
Financial Impact
Despite their broad campaigns and ease of clustering, TA444 is a formidable adversary capable of defrauding victims of hundreds of millions of dollars. In 2021, the group reportedly stole nearly $400 million worth of cryptocurrency and related assets. This figure skyrocketed in 2022, with a single heist exceeding $500 million and total earnings surpassing $1 billion.
Recently, the US Federal Bureau of Investigation confirmed that North Korea’s Lazarus Group was responsible for a $100 million theft from cryptocurrency firm Harmony. This further highlights the growing threat posed by state-sponsored actors in the cyber realm.
As TA444 continues to evolve and adapt its tactics, organizations must remain vigilant and implement robust cybersecurity measures to protect against such sophisticated threats.