North Korean cybercriminal groups have significantly changed their tactics for conducting campaigns using social engineering. According to the latest data, the attackers stole over $300 million by impersonating trusted individuals during fake video conferences.
A warning about the new scheme was published by Taylor Monahan, a leading security researcher at MetaMask. According to her, the targets of this long-term fraudulent operation are primarily the executives of cryptocurrency companies and investment funds.
The mechanism of implementing the fraudulent scheme
Experts note that the current campaign differs from previous attacks, where deepfake technologies based on artificial intelligence were used. In this case, criminals use a more pragmatic approach based on hacking accounts in the Telegram messenger.
The process begins with taking control of the account of a venture investor or another media figure with whom the victim may have contacted earlier. Using the history of correspondence to establish trust, hackers invite the target to a call via Zoom or Microsoft Teams, sending a disguised link to the meeting calendar.
During the video call, the participant is shown a broadcast that looks like a live image of the interlocutor. In reality, criminals use looped fragments of old recordings from podcasts or public speeches of a real person.
Methods of injecting malware
The key stage of the attack occurs at the moment of simulating technical issues. Citing problems with sound or video, the attacker convinces the victim to restore the connection. To do this, they are offered to download a special script or update the software development kit (SDK).
Citing problems with sound or video, the attacker convinces the victim to restore the connection by downloading a certain script or updating the software development kit (SDK). It is in the transmitted file that the malicious payload is contained.
After launching the received file, a remote access trojan (RAT) is installed on the device. This allows criminals to gain full control over the system. As a result, unauthorized withdrawals of assets from cryptocurrency wallets and export of confidential data occur.
Monahan emphasizes that hackers use professional ethics and business etiquette as a tool of pressure. Psychological influence within the framework of a 'business meeting' dulls vigilance, turning a routine request into a fatal breach in the security system.
This strategy is part of a large-scale activity of entities from North Korea. Over the past year, the total amount of funds stolen by them in the digital asset sector amounted to about $2 billion. One of the largest incidents attributed to these groups remains the hack of the cryptocurrency exchange Bybit.
