Rewterz Threat Update – North Korean-Based APT38 Targets IT Job Seekers

Severity

High

Analysis Summary

Sapphire Sleet, also known as APT38 and BlueNoroff is associated with North Korea which is regarded as a subgroup of the well-known Lazarus APT organization. Banks, venture capital businesses, and cryptocurrency exchanges are the main targets of the APT group’s attacks.

Microsoft researchers issue a warning to IT job applicants to a new social engineering effort that leverages a new set of fraudulent talent evaluation websites.

Microsoft alerts users through a series of posts on X that, “The threat actor that Microsoft tracks as Sapphire Sleet, known for cryptocurrency theft via social engineering, has in the past few weeks created new websites masquerading as skills assessment portals, marking a shift in the persistent actor’s tactics.”

Sapphire Sleet has already been seen utilizing tools such as LinkedIn and utilizing enticements linked to competence evaluation. Once contact with the victims has been established, the threat actors transfer it to other channels, such as email or instant messaging applications.

Sapphire Sleet either emailed URLs to pages maintained on trustworthy websites like GitHub or outright transmitted malicious attachments. Microsoft specialists surmise that the APT group resorted to new attack methods by building its own websites after discovering Sapphire Sleet’s strategies.

Recently, researchers identified a novel strain of macOS malware called ObjCShellz and related it to APT BlueNoroff, which is associated with North Korea. The RustBucket malware campaign linked to the BlueNoroff APT organization is comparable to the ObjCShellz virus, according to the researchers. 

The choice to use a domain that resembles that of a reputable exchange implies that threat actors targeted an organization or a person with an interest in the cryptocurrency industry, albeit the researchers have not yet identified which individuals or entities were the targets of the ObjCShellz attacks.

Impact

• Financial Loss
• Sensitive Information Theft

Remediation

• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Use web filtering tools to block access to known malicious domains and websites.
• Keep all software, including operating systems, browsers, and applications, up to date with the latest security patches.
• Monitor network traffic for unusual or suspicious activity.
• Implement the principle of least privilege to restrict user access to only the resources and data necessary for their roles.
• Regularly back up critical data and systems.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.