North Korean APT38 Targets Western Businesses with Fake Job Scams and Infostealer Malware
Microsoft has issued a warning about Sapphire Sleet (APT38), a North Korean state-sponsored threat group linked to the Lazarus Group, which has been targeting Western businesses since at least 2020 in a campaign designed to steal cryptocurrency. The group employs fake job scams, creating elaborate fictitious personas including companies, recruiters, and job postings to lure victims via email and social media with enticing employment offers.
Once engaged, attackers direct victims to a malicious Zoom lookalike instead of the legitimate platform. The fake software deploys infostealer malware to compromise devices. Microsoft’s Sherrod DeGrippo, Global Threat Intelligence GM, highlighted the effectiveness of social engineering in bypassing security measures, noting that attackers exploit human trust by mimicking routine interactions like remote support requests.
The campaign primarily targets macOS users, prompting Microsoft to collaborate with Apple, which implemented automatic platform-level protections to detect and block the malware and its infrastructure. The updates were rolled out without requiring manual intervention from users.
Microsoft Threat Intelligence cybersecurity rating report: https://www.rankiteo.com/company/microsoft-threat-intelligence
"id": "MIC1776436215",
"linkid": "microsoft-threat-intelligence",
"type": "Cyber Attack",
"date": "1/2020",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'location': 'Western countries',
'type': 'Western Businesses'}],
'attack_vector': ['Social Engineering',
'Fake Job Scams',
'Malicious Software (Zoom Lookalike)'],
'data_breach': {'type_of_data_compromised': 'Device data, potential '
'cryptocurrency credentials'},
'description': 'Microsoft has issued a warning about Sapphire Sleet (APT38), '
'a North Korean state-sponsored threat group linked to the '
'Lazarus Group, targeting Western businesses since at least '
'2020 in a campaign designed to steal cryptocurrency. The '
'group employs fake job scams, creating fictitious personas '
'including companies, recruiters, and job postings to lure '
'victims via email and social media with enticing employment '
'offers. Once engaged, attackers direct victims to a malicious '
'Zoom lookalike that deploys infostealer malware to compromise '
'devices.',
'impact': {'data_compromised': 'Device compromise, potential cryptocurrency '
'theft',
'systems_affected': ['macOS devices']},
'initial_access_broker': {'entry_point': 'Fake job scams, malicious Zoom '
'lookalike'},
'lessons_learned': 'Social engineering is highly effective in bypassing '
'security measures by exploiting human trust. Attackers '
'mimic routine interactions like remote support requests '
'to gain access.',
'motivation': ['Financial Gain (Cryptocurrency Theft)',
'State-Sponsored Espionage'],
'post_incident_analysis': {'corrective_actions': 'Automatic platform-level '
'protections implemented by '
'Apple to block malware and '
'infrastructure',
'root_causes': 'Exploitation of human trust via '
'social engineering, use of fake '
'job offers and malicious software'},
'references': [{'source': 'Microsoft'}],
'response': {'containment_measures': 'Automatic platform-level protections to '
'detect and block malware and '
'infrastructure',
'third_party_assistance': 'Collaboration with Apple'},
'threat_actor': 'Sapphire Sleet (APT38), Lazarus Group',
'title': 'North Korean APT38 Targets Western Businesses with Fake Job Scams '
'and Infostealer Malware',
'type': 'Cyber Espionage, Cryptocurrency Theft'}