North Korean state-sponsored cybercriminals have been time and again accused of buying access to pre-hacked servers from other threat actors. However, lately, connections have emerged between the North Korea-based Lazarus APT group and some of the prominent Russian-speaking cybercriminal groups.
TrickBot, Dridex, and TA505 are threat groups linked to various Russian-speaking threat actors who sell access to victims’ systems on the dark web. Lazarus has been found to be infrequently using TrickBot’s codes in its attacks.
Establishing the connection
- TrickBot is a privately-run Malware-as-a-Service (Maas) offering, which can be accessed by only top-tier threat actors.
- TA505 is a cybercriminal group that has purchased a huge number of tools from the underground.
- According to a report by LEXFO, past Lazarus infections have been spotted to coexist with TrickBot and Emotet.
- TA505 and Lazarus IOCs were found together in bank networks. Moreover, the PS post-intrusion scripts appertaining to Lazarus and TA505 have been discovered to be similar.
- According to a CISA alert, North Korea-based hackers may “be working with or contracting out to criminal hacking groups, like TA505, for initial access development.”
What they are saying
- Based on the different incidents, experts assess that there is a connection between Lazarus and Russian-speaking cybercriminals.
- TrickBot appears to possess a treasure trove of compromised accesses that Lazarus can definitely leverage.
- However, not enough information is available to decide if all TrickBot infections could point to Lazarus or only a subset of them.
The bottom line
It is very likely that threat actors with access to TrickBot infections are in touch with North Korean state-sponsored hackers. Knowing that there is a link between different threat actors provides defenders an opportunity to identify a potential second problem when the first one occurs.