North Korean Hacking Group Sapphire Sleet Employs Social Engineering to Steal Cryptocurrency
Microsoft has issued a warning about the North Korean hacking group Sapphire Sleet (BlueNoroff), which is deploying a new infrastructure for impending social engineering campaigns on LinkedIn. This financially motivated group is notorious for its attacks involving the theft of cryptocurrency from employees of cryptocurrency companies.
Following initial contact on LinkedIn, BlueNoroff hackers infiltrate their targets’ systems with malicious software hidden in counterfeit documents, which are disseminated through personal messages across various social networks.
The threat actor that Microsoft tracks as Sapphire Sleet, known for cryptocurrency theft via social engineering, has in the past few weeks created new websites masquerading as skills assessment portals, marking a shift in the persistent actor’s tactics.
— Microsoft Threat Intelligence (@MsftSecIntel) November 8, 2023
Cybersecurity experts at Microsoft Threat Intelligence note that in recent weeks, the group has created new websites that mimic skill assessment portals, marking a shift in their tactics. Typically, Sapphire Sleet locates its victims on platforms like LinkedIn, employing ruses related to skill evaluation, and then shifts communication with the targets to other platforms.
“In the past, Sapphire Sleet sent malicious attachments directly or used links to pages hosted on legitimate websites like GitHub. Microsoft assesses that the quick detection and deletion of the threat actor’s malicious files forced Sapphire Sleet to create their own websites.”
“Several malicious domains and subdomains host these websites, which entice recruiters to register for an account. The websites are password-protected to impede analysis. These domains are blocked by Microsoft Defender SmartScreen and Network Protection,” Microsoft explains.
Previously, North Korean hackers distributed malicious attachments directly or used links to pages hosted on GitHub. However, Microsoft believes that the rapid detection and removal of criminal malware from legitimate online services have prompted the BlueNoroff hackers to create websites capable of hosting malicious payloads. These malevolent sites are password-protected to hinder analysis and are disguised as skill assessment portals, enticing recruiters to register on them.