Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack
Contents
Executive Summary
Unit 42 researchers identified a North Korean IT worker activity cluster that we track as CL-STA-0237. This cluster was involved in recent phishing attacks using malware-infected video conference apps. It likely operates from Laos, using Lao IP addresses and identities.
CL-STA-0237 exploited a U.S.-based, small-and-medium-sized business (SMB) IT services company to apply for other jobs. In 2022, CL-STA-0237 secured a position at a major tech company.
We believe CL-STA-0237 is another cluster of a broader network of North Korean IT workers supporting the nation's illicit activities, including weapons of mass destruction (WMD) and ballistic missile programs. This article highlights the IT workers’ shift from stable income-seeking activities to involvement in more aggressive malware campaigns. Additionally, the article illustrates the global reach of North Korean IT workers.
To address these risks, organizations should perform the following activities:
- Strengthening their hiring screening processes
- Implementing robust monitoring to identify insider threats
- Thoroughly evaluating outsourced services
- …
Unit 42 researchers identified a North Korean IT worker activity cluster that we track as CL-STA-0237. This cluster was involved in recent phishing attacks using malware-infected video conference apps. It likely operates from Laos, using Lao IP addresses and identities.
CL-STA-0237 exploited a U.S.-based, small-and-medium-sized business (SMB) IT services company to apply for other jobs. In 2022, CL-STA-0237 secured a position at a major tech company.
We believe CL-STA-0237 is another cluster of a broader network of North Korean IT workers supporting the nation's illicit activities, including weapons of mass destruction (WMD) and ballistic missile programs. This article highlights the IT workers’ shift from stable income-seeking activities to involvement in more aggressive malware campaigns. Additionally, the article illustrates the global reach of North Korean IT workers.
To address these risks, organizations should perform the following activities:
- Strengthening their hiring screening processes
- Implementing robust monitoring to identify insider threats
- Thoroughly evaluating outsourced services
- …
IoC
effertz-carroll.com
regioncheck.net
freeconference.io
ipcheck.cloud
mirotalk.io
mirotalk.net
ftpserver0909.com
167.88.36.13
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
regioncheck.net
freeconference.io
ipcheck.cloud
mirotalk.io
mirotalk.net
ftpserver0909.com
167.88.36.13
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]