A North Korean-linked crypto stealing campaign that originally targeted South Korean victims is now expanding to other regions, including the U.K. and probably the U.S.
Digital forensic analysis shows that the malware used by the North Korean threat actors in this campaign can breach Android devices, but also potentially iPhone and other iOS-based devices.
On September 5, McAfee’s Mobile Research Team warned that the North Korean SpyAgent malware was spreading on Android devices. Following North Korean trends, this new malware and attack campaign also targets victims’ crypto wallets.
McAfee researchers, who managed to gain access to an ‘unprotected’ C2 command and control server controlled by the threat actors, also found evidence that the malware is targeting or will target in the near future iOS.
McAfee Uncovers SpyAgent Operating in the Wild
SpyAgent, as malware, comes with some innovations. It can scan and find on a smartphone the ‘mnemonic keys’ users usually store in image formats. Mnemonic keys — a.k.a. seed phrases, recovery phrases, or backup phrases — are used to protect and access cryptocurrency wallets.
Unlike other known North Korean crypto heists, and blockchain attacks, this malware can spread very fast because it takes control of the victim’s smartphone and can use it to send out convincing phishing SMS (“smishing”).
This attack is also different from others linked to Kim Jong Un’s hacker units because it is a very effective spyware.
FBI Says North Korea is Gearing Up for Crypto Industry Attack
On September 3, CISA and the FBI issued a warning for employees of decentralized finance (“DeFi”), cryptocurrency, and similar businesses. CISA and the FBI detected North Korean threat actors conducting research on the industry and the community and gathering data.
The FBI says this means that North Korea is poised to launch a sophisticated phishing campaign against the blockchain and crypto industry.
Interestingly, the SpyAgent malware, as mentioned, is spyware that, in addition to emptying crypto wallets, can gather a lot of information that can later be used to run more convincing scams against victims.
North Korean obsession with crypto is well documented and nowhere near its end. According to the United Nations, groups like the Lazarus Group have sent to the North Korean government more than $3 billion.
These funds, obtained illegally through crypto heists, are used by North Korea to fund internationally sanctioned military and government programs, including the development of weapons of mass destruction and inter-ballistic missiles.
Irina Tsukerman, national security and human rights lawyer and geopolitical analyst, told Techopedia that the crypto community should not underestimate the capabilities of North Korean threat actors.
“The North Korean intel gatherers are far more culturally sophisticated than one might assume given the level of North Korean isolation.
“Many of these hackers, manipulators, and spies are actually based in China, Malaysia, or even African countries, and thus are, in fact, quite in tune with external communications, information space, habits, and level of cyber protection.”
The recent CISA and FBI advisory agrees with the increased level of sophistication capabilities and resources that North Korean threat actors possess.
Tsukerman said that phishing campaigns like SpyAgent are not just about the money but just as much about understanding the human element, the mindset, interests, and habits of the target.
Additionally, North Korean digital cybercriminal operations are scaling and increasing in capabilities, with each iteration becoming more dangerous.
“North Korean spies could be just as easily using Western assets as any other intelligence. Moreover, don’t be surprised if they are increasingly closely integrated into campaigns run in conjunction with other countries such as Russia, China, or Iran.”
Tsukerman recognized that the main agenda of these cybercrimes is to fund sanctioned programs but also expects these cyber attacks to escalate.
“Expect these campaigns to expand to other realms in the future as North Korea becomes both more confident in its cyber capabilities and more legitimized and mainstreamed on geopolitical level.”
More than Just a Crypto Hacker: Large-Scale Espionage Malware Capabilities
280 fake sites and apps, the sophisticated coding of the malware, and a possible iOS version which is extremely difficult to pull off, combined with SMS access capabilities; All the evidence suggests that this campaign is prepared to scale and can scale globally and persist.
In its original report, McAfee had warned that the malware was adapting and could spread in the U.K.
“The move into the U.K. points to a deliberate attempt by the attackers to broaden their operations, likely aiming at new user groups with localized versions of the malware.”
For those who want to know how this campaign works, it’s a one-two-three classic attack technique that combines smishing, booby-trapped SMS-sent links that redirect users to malicious sites and, through trojan malware, trick victims into downloading apps from unofficial channels.
To make the scam more convincing North Korean hackers are pushing fake apps that impersonate government services, money loans, and even obituary notices.
Once installed, this malware has no mercy. It secretly gathers and sends your text messages, contacts, and all stored images to a server controlled by attackers. While the malware does this, it puts on a show for the victim, distracting him with endless loading screens, unexpected redirects, or brief blank screens.
The Bottom Line
SpyAgent is the latest malware coming out of North Korea. With years of experience in real-life blockchain-crypto hacking, the cyber units of the country prove that they are taking things to the next level. The sophistication of SpyAgent and its capabilities — despite the fact that the C2 server was left unprotected — reveals a double motive.
North Korea is after not just crypto but basically everything on a victim’s phone. Considering that smartphones are a treasure trove of data in modern times, malware that can automatically extract all this intelligence in bulk in a large-scale operation is troubling.