Microsoft has revealed that state-sponsored cyber actors linked to North Korea have begun using artificial intelligence (AI) to make their operations more effective and efficient.
“They are learning to use tools based on artificial intelligence’s LLM (Large Language Models) to make their operations more efficient and effective,” the tech giant said in its latest report on East Asian hacking groups.
The company specifically highlighted a group called Emerald Sleet (aka Kimusky or TA427), which has been observed using LLM to support spear-phishing efforts targeting experts on the Korean Peninsula.
The adversary is also said to have relied on the latest advances in artificial intelligence to search for vulnerabilities and conduct reconnaissance on organizations and experts focused on North Korea, joining Chinese hacking teams, which have turned to intelligence-generated content artificial for influence operations.
It also used LLM to troubleshoot technical issues, conduct basic scripting tasks and draft content for spear-phishing messages, Redmond said, adding that it worked with OpenAI to disable accounts and resources associated with the threat actor.
According to a report published last week by corporate security firm Proofpoint, the group “engages in beneficial campaigns to initiate conversations to establish contacts with targets for long-term information exchanges on topics of strategic importance to the North Korean regime.”
Kimsuky’s modus operandi involves exploiting think tanks and figures linked to non-governmental organizations to legitimize his emails and increase the chances of success of the attack.
In recent months, however, the nation-state actor has begun abusing its lax Domain-Based Message Authentication, Reporting and Compliance (DMARC) policies to spoof various personas and embed web beacons (i.e. tracking pixels) for profiling of the target, indicating its “agility in adapting its tactics.”
“Web beacons are likely intended as initial reconnaissance to validate that targeted emails are active and to gain critical information about recipients’ network environments, including externally visible IP addresses, host User-Agent, and time when the user opened the email,” Proofpoint said.
The development comes as North Korean hacker groups continue to engage in cryptocurrency heists and supply chain attacks, with a threat actor nicknamed Jade Sleet linked to the theft of at least $35 million from an Estonian cryptocurrency company in June 2023 and over $125 million from a Singapore-based cryptocurrency platform a month later.
Jade Sleet, which overlaps with tracked clusters like TraderTraitor and UNC4899, was also observed attacking cryptocurrency online casinos in August 2023, not to mention using fake GitHub repositories and weaponized npm packages to target employees of technology organizations and of cryptocurrency.
In another case, a Germany-based IT company was compromised by Diamond Sleet (also known as Lazarus Group) in August 2023 and weaponized an application from a Taiwan-based IT company to conduct an attack to the supply chain in November 2023.
“This will likely generate revenue, primarily for its weapons program, as well as intelligence gathering on the United States, South Korea and Japan,” said Clint Watts, general manager of the Microsoft Threat Analysis Center (MTAC).
The Lazarus Group is also known for using complex methods such as hijacking Windows Phantom DLLs and manipulating Transparency, Consensus, and Control (TCC) databases in Windows and macOS, respectively, to undermine security protections and distribute malware , contributing to its sophisticated and elusive nature. for Security Interpreter.
The findings come in the context of a new campaign orchestrated by the Konni group (aka Vedalia) that uses Windows link files (LNKs) to deliver malicious payloads.
“The threat actor used double extensions to hide the original .lnk extension, with observed LNK files containing excessive whitespace to obscure malicious command lines,” Symantec said. “As part of the attack vector, the command-line script searched PowerShell to bypass detection and locate the embedded files and malicious payload.”