A new threat actor, known as TA444, has emerged as a financially motivated state-sponsored group from North Korea. Researchers at Proofpoint have been monitoring their activities, noting that the group has been targeting cryptocurrency exchanges since 2017 and recently adopted a ‘startup’ mentality in late 2022.
Unlike other financially motivated threat actors, TA444 has been testing various infection methods without consistently using the same payload. This suggests a dedicated malware development element within the group. Additionally, Proofpoint observed a strategic marketing approach by TA444 to increase their annual recurring revenue potential.
TA444 has utilized a range of post-exploitation backdoors in their attacks, including msoRAT, Cardinal, the Rantankba suite, Cheesetray, and Dyepack. They have also employed passive backdoors, virtualized listeners, and browser extensions to facilitate theft. Despite their broad campaigns, TA444 has proven to be a capable adversary, defrauding victims of hundreds of millions of dollars.
In 2021, TA444 and related clusters stole nearly $400 million worth of cryptocurrency and assets. This number skyrocketed in 2022, with a single heist netting over $500 million and total earnings exceeding $1 billion for the year. These findings highlight the significant financial impact that TA444 has had on their victims.
The report from Proofpoint coincides with recent confirmation from the FBI that North Korea’s Lazarus Group was responsible for a $100 million theft from cryptocurrency firm Harmony. This demonstrates the ongoing threat posed by North Korean state-sponsored groups in the realm of cybercrime.
As cybersecurity researchers continue to monitor and analyze the activities of groups like TA444, it is essential for organizations to remain vigilant and implement robust security measures to protect against these sophisticated threats. With the ever-evolving landscape of cyber threats, staying informed and proactive is crucial in safeguarding sensitive data and assets.