Weekly Summary Cyberattacks January 09th-15th

North Korean hackers steal more than $659 million in cryptocurrencies in 2024   

The governments of the United States, South Korea and Japan have warned that hacking groups linked to North Korea stole more than $659 million in cryptocurrencies during 2024. According to a joint statement, these organizations employed sophisticated social engineering tactics and malware such as TraderTraitor and AppleJeus to attack companies in the blockchain sector. Among the incidents highlighted, the hacking of Indian platform WazirX in July 2024 is confirmed to have resulted in losses of $235 million. Other attacks included thefts of $308 million from DMM Bitcoin and $50 million from Upbit. In addition, there are warnings about North Korean IT workers who, by concealing their identity, gain employment with international companies to install malware and carry out extortion. The United States is offering rewards of up to 5 million dollars for information to stop these activities, which generate millions for the North Korean regime. 

Russia steps up cyberespionage in Central Asia using Kazakh diplomatic documents as a lure   

Researchers have revealed a cyberespionage campaign in Central Asia, possibly linked to the UAC-0063 group and linked to APT28, a cyber intelligence unit attributed to the Russian GRU. The operation, active since 2021, uses legitimate Kazakhstan Foreign Ministry documents to deploy malware, such as HATVIBE and CHERRYSPY, to gather strategic intelligence. The documents, likely obtained through previous cyberattacks, include diplomatic letters, joint statements and administrative notes ranging from international meetings to energy projects. The attack, dubbed “Double-Tap,” relies on malicious macros in Word files to install spyware and ensure persistence through scheduled tasks and modifications to the Windows registry. The target appears to focus on Kazakhstan's diplomatic and economic relations with Western and Asian countries, in a context where the country is seeking to distance itself from Russia and strengthen ties with China and Europe.

FunkSec: the ransomware group that combines cybercrime and hacktivism with AI   

In December 2024, the FunkSec group burst onto the ransomware scene by claiming more than 85 victims, surpassing other groups in notoriety. This collective uses artificial intelligence-assisted tools to develop advanced malware, despite having members with little technical expertise. FunkSec operates as a Ransomware-as-a-Service (RaaS), demanding low ransoms and reusing leaked data from previous hacktivist campaigns, raising doubts about the authenticity of its disclosures. The group's links to hacktivist activities, such as its support for political causes and its double extortion methods, complicate the distinction between hacktivism and cybercrime. In addition, much of its tools and leaks, such as a ransomware written in Rust, appear to have been created with support from AI agents. The ability of low-skilled actors to employ advanced technology poses challenges to assessing cyber threats based solely on these groups' public statements. FunkSec highlights the growing use of AI in cybersecurity and the difficulties in verifying the real impact of emerging groups in an ever-changing threat landscape. 

HexaLocker v2 Being Proliferated by Skuld Stealer   

Cybersecurity researchers have identified a campaign where the HexaLocker v2 ransomware is being propagated through the Skuld Stealer malware. Skuld Stealer is an open-source tool designed for Windows systems that steals user data from various applications, including web browsers and messaging platforms. In this campaign, Skuld Stealer is used to extract victims' sensitive information before deploying HexaLocker v2, which encrypts system files and demands a ransom. This double extortion tactic, combining data theft with file encryption, poses a significant threat to data security. Users and organizations are advised to keep their systems updated, use reliable security solutions, and remain vigilant for suspicious activity to mitigate the risk of infection. 

Research reveals sophisticated domain spoofing tactics in malspam campaigns   

A recent study has exposed new domain spoofing tactics used by malicious actors in malspam campaigns, highlighting the activity of “Muddling Meerkat,” a group linked to China. The investigation identified multiple campaigns leveraging spoofed domains to evade security measures, including phishing and extortion emails. Among the operations detected were campaigns targeting Chinese users using QR codes to access phishing sites, and similar campaigns in Japan using well-known brands to steal credentials. Another frequent tactic is the sending of extortion emails pretending to come from the user himself, demanding payments in Bitcoin. Messages with harmless attachments sent from spoofed domains, the purpose of which remains an enigma, have also been discovered. These techniques, which combine the generation of temporary domains, use of traffic distribution tools and sender spoofing, show how attackers seek to stay under the radar of researchers. While questions remain about the ultimate motivations of these actors, the research provides key insights for improving defenses against malspam.