APT38 Poses as Financial Service Sector to Infiltrate Networks

The North Korean threat group, APT38, has been discovered utilizing the infrastructure that masquerades as financial entities and venture capital enterprises, aiming to achieve monetary gain. Researchers from Recorded Future’s Insikt Group report their findings, identifying "74 domains and 6 malicious files" in their latest campaign. The domains masqueraded as financial institutions located in Japan, Taiwan, and the United States. In relation, Recorded Future also identified an infrastructure of "18 malicious servers" used in a cryptocurrency-focused operation tracked as "CryptoCore," in March 2022. APT38's financial motive aligns with its past campaigns to generate funds to support the North Korean government. "The North Korean government has a history of financially motivated intrusion campaigns, targeting cryptocurrency exchanges, commercial banks, and e-commerce payment systems worldwide," said Recorded Future. Adding the "spoofing of investment banking and venture capital firms poses risks such as exposure of sensitive information, legal consequences, disrupted negotiations, or damage to strategic investment portfolios."