North Korean hackers use phishing to target users of South Korean cryptocurrency exchange UPbit

• Through phishing, the attackers dropped malicious code into user systems to steal data such as private keys and login information.
• The group is associated with a previous attack made on South Korean government agencies and public figures.

A North Korean hacker group has targeted South Korean cryptocurrency exchange, UPbit. It is reported that the group leveraged phishing to target UPbit users. According to security firm East Security, one of the group’s actors pushed a phishing email to users on May 28, in order to carry out a large scale cyber attack. This email contained malicious code intended to steal sensitive user data.

Worth noting

• The email spoke of a fictitious sweepstakes payout in the name of UPbit. It was discovered that the email came from a server outside South Korea.
• It also points to a document of this false payout. This file contains malicious code, upon execution, steals system data, private keys, and login information of the user.
• The code connects the affected system to a C2 server that enables the attacker to have remote control over the system.
• The file was also protected with the password ‘UPBIT’ in order to evade detection from antivirus software.

Affiliation with Operation Fake Striker

The unnamed North Korean group is also believed to be involved with another attack known as Operation Fake Striker, which targeted government agencies. “In analyzing attack tools and malicious codes used by hacker groups, there are unique characteristics we saw,” told Mun Chong Hyun, Head of ESRC Center at East Security, to CoinDesk.

However, Chong Hyun said that the damage from this attack was not ascertained and has urged users to not click on suspicious links.