North Korean Attackers TA444 Shift Tactics


A North Korean threat group whose activity overlaps with the prolific Lazarus Group has changed up its tactics recent weeks, moving to new file types in phishing emails, and trying out new payloads in what could be an effort to lure potential victims who have become wary of the more common tactics and techniques used by the group and similar adversaries.

Designated as TA444 by researchers at Proofpoint, the group is also known as BlueNoroff and has ties to the Lazarus Group, perhaps the most notorious and successful financially motivated state-aligned threat group. TA444 is known to use phishing emails as its primary method of initial access and, like other North Korean threat groups, often targets blockchain and cryptocurrency entities. In the past, the group has used malicious documents in its emails that contain either LNK files or use remote templates. But TA444 modified its tactics late last year, turning to links to OneDrive as a primary lure.

“In early December 2022, Proofpoint researchers observed a significant deviation from normal TA444 operations via a relatively basic credential harvesting campaign. A TA444 C2 domain sent OneDrive phishing emails rife with typos to a wide variety of targets in the United States and Canada, spanning several verticals including education, government, and healthcare, in addition to financial verticals,” Proofpoint researchers said in a new report on the group’s recent tactics.

“Equally as surprising as the variance in delivery methods is the lack of a consistent payload at the end of the delivery chains. When other financially-oriented threat actors test delivery methods, they tend to load their traditional payloads; this is not the case with TA444. This suggests that there is an embedded, or at least a devoted, malware development element alongside TA444 operators.”

In the new campaigns, TA444 has abused SendGrid, a popular email marketing platform, to send its phishing emails, which includes a SendGrid URL that redirects the victim to an attacker-controlled page designed to harvest credentials.

“The SendGrid URLs are used to redirect targets to the domain superiorexhbits[.]com which uses common phishing tactics such as loading the victim's iconography via the logo-rendering service ClearBit. This sprawling credential harvesting activity is a deviation from normal TA444 campaigns, which typically involve the direct deployment of malware,” the Proofpoint research says.

The shift in tactics by TA444 comes at a time when there is an intense focus on the activities of North Korean threat actors, both by researchers and law enforcement agencies. Yesterday, the FBI attributed the June theft of $100 million in Ethereum from the Harmony Horizon bridge to the Lazarus Group, which has been tied to some of the larger cryptocurrency and online bank heists in recent history.

“While we may poke fun at its broad campaigns and ease of clustering, TA444 is an astute and capable adversary that is willing and able to defraud victims for hundreds of millions of dollars. TA444 and related clusters are assessed to have stolen nearly $400 million dollars’ worth of cryptocurrency and related assets in 2021. In 2022, the group surpassed that value in a single heist worth over $500 million, gathering more than $1 billion during 2022. North Korea, like other cryptocurrency enthusiasts, has weathered the declining value of cryptocurrencies, but remains engaged in its efforts to use cryptocurrency as a vehicle to provide usable funds to the regime,” Proofpoint said.