Undetected North Korean Malware: A Looming Threat to Financial Institutions
Contents
2
Threat Advisory
Undetected North Korean Malware:
A Looming Threat to Financial
Institutions
Date: 16/02/2023
+44 (0)3303 110 940
Registered Address
[email protected]
40 Caversham Road, Reading, RG1 7EB
s
Company Registration No: 11101195.
bridewell.com
TLP: WHITE
2
Summary
Bridewell Intelligence has identified a looming threat to financial institutions related to
a cluster of malicious North Korean malware, which is currently unreported and
undetected by anti-virus solutions. This information was discovered by pivoting from
recent Proofpoint and Kaspersky reporting that revealed activities of TA444, a North
Korea state-sponsored threat actor that is financially motivated and actively targeting
cryptocurrencies and financial institutes. It is estimated that threats actors related to
North Korea stole over $1 billion USD of cryptocurrency assets during 2022 alone.
TA444 has been actively targeting banks for several years, but in the latter stages of
2022, the group expanded its operations to include cryptocurrency. The group has
demonstrated a startup mentality, using rapid iteration and the testing of products on
the fly. Recently, Proofpoint researchers identified a deviation in TA444's operations,
indicating a shift in …
Threat Advisory
Undetected North Korean Malware:
A Looming Threat to Financial
Institutions
Date: 16/02/2023
+44 (0)3303 110 940
Registered Address
[email protected]
40 Caversham Road, Reading, RG1 7EB
s
Company Registration No: 11101195.
bridewell.com
TLP: WHITE
2
Summary
Bridewell Intelligence has identified a looming threat to financial institutions related to
a cluster of malicious North Korean malware, which is currently unreported and
undetected by anti-virus solutions. This information was discovered by pivoting from
recent Proofpoint and Kaspersky reporting that revealed activities of TA444, a North
Korea state-sponsored threat actor that is financially motivated and actively targeting
cryptocurrencies and financial institutes. It is estimated that threats actors related to
North Korea stole over $1 billion USD of cryptocurrency assets during 2022 alone.
TA444 has been actively targeting banks for several years, but in the latter stages of
2022, the group expanded its operations to include cryptocurrency. The group has
demonstrated a startup mentality, using rapid iteration and the testing of products on
the fly. Recently, Proofpoint researchers identified a deviation in TA444's operations,
indicating a shift in …
IoC
104.255.172.56
155.138.159.45
172.86.122.181
172.86.123.181
172.93.181.221
http://104..255.172.56
http://104.255.172.56
http://155.138.159.45
http://172.86.122.181
http://172.86.123.181
http://172.93.181.221
http://_dmarc.onlineshares.cloud
http://autoprotect.com.de
http://autoprotect.com.se
http://autoprotect.gb.net
http://cloud.anobaka.info
http://cloud.azurehosting.co
http://cloud.dnx.capital
http://cloud.espcapital.pro
http://cloud.gpmtreit.co
http://cloud.j-ic.co
http://cloud.j-ic.com
http://cloud.mekongcapital.net
http://corporateimageguru.com
http://dmarc.onlineshares.cloud
http://doc.gdocshare.one
http://docs.azurehosting.co
http://down.espcapital.co
http://down.gpmtreit.co
http://down.gpmtreit.us
http://down.j-ic.co
http://down.j-ic.com
http://down.tomming.us
http://fs.digiboxes.us
http://internal.j-ic.co
http://ms.msteam.biz
http://ms.onlineshares.cloud
http://naogoze.com
http://nbright.best
http://ns1.trytiponlineresult.com
http://ns2.trytiponlineresult.com
http://one.microshare.cloud
http://open.onlinecloud.cloud
http://phcdevworks.com
http://phcnetworks.net
http://safe.doc-share.cloud
http://safe.doc-share.pro
http://safe.doc-share.top
http://server-1.phcnetworks.net
http://share.1drvmicrosoft.com
http://share.anobaka.info
http://shippingspro.com
http://site.siteshare.me
http://team.msteam.biz
http://tet.dnx.capital
http://trytiponlineresult.com
http://www.docuprivacy.com
http://www.hoststudio.org
http://www.naogoze.com
http://www.onlinecloud.cloud
http://www.onlineshares.cloud
http://www.phcdevworks.com
http://www.privacysign.org
http://www.thecloudnet.org
http://www.updatezone.org
155.138.159.45
172.86.122.181
172.86.123.181
172.93.181.221
http://104..255.172.56
http://104.255.172.56
http://155.138.159.45
http://172.86.122.181
http://172.86.123.181
http://172.93.181.221
http://_dmarc.onlineshares.cloud
http://autoprotect.com.de
http://autoprotect.com.se
http://autoprotect.gb.net
http://cloud.anobaka.info
http://cloud.azurehosting.co
http://cloud.dnx.capital
http://cloud.espcapital.pro
http://cloud.gpmtreit.co
http://cloud.j-ic.co
http://cloud.j-ic.com
http://cloud.mekongcapital.net
http://corporateimageguru.com
http://dmarc.onlineshares.cloud
http://doc.gdocshare.one
http://docs.azurehosting.co
http://down.espcapital.co
http://down.gpmtreit.co
http://down.gpmtreit.us
http://down.j-ic.co
http://down.j-ic.com
http://down.tomming.us
http://fs.digiboxes.us
http://internal.j-ic.co
http://ms.msteam.biz
http://ms.onlineshares.cloud
http://naogoze.com
http://nbright.best
http://ns1.trytiponlineresult.com
http://ns2.trytiponlineresult.com
http://one.microshare.cloud
http://open.onlinecloud.cloud
http://phcdevworks.com
http://phcnetworks.net
http://safe.doc-share.cloud
http://safe.doc-share.pro
http://safe.doc-share.top
http://server-1.phcnetworks.net
http://share.1drvmicrosoft.com
http://share.anobaka.info
http://shippingspro.com
http://site.siteshare.me
http://team.msteam.biz
http://tet.dnx.capital
http://trytiponlineresult.com
http://www.docuprivacy.com
http://www.hoststudio.org
http://www.naogoze.com
http://www.onlinecloud.cloud
http://www.onlineshares.cloud
http://www.phcdevworks.com
http://www.privacysign.org
http://www.thecloudnet.org
http://www.updatezone.org