Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations
Summary:
Void Dokkaebi, also known as Famous Chollima, is a financially motivated threat group primarily focused on stealing cryptocurrency from software developers and blockchain enthusiasts through carefully crafted social engineering campaigns. These campaigns frequently masquerade as legitimate job opportunities advertised on platforms like LinkedIn, Upwork, and Freelancer. Threat actors behind these operations pose as recruiters from fictitious companies, such as BlockNovas, to lure unsuspecting developers into fraudulent interviews. During these interviews, victims are asked to complete technical tasks using files hosted on trusted repositories like GitHub or GitLab. Although the code appears benign, it often contains obfuscated scripts that, when executed outside a secure sandbox, initiate malware deployment aimed at exfiltrating cryptocurrency wallets and sensitive credentials. One scheme also tricks applicants into installing malware under the guise of a camera software update. Malware families observed in these campaigns include Beavertail, Invisible Ferret, FrostyFerret, and GolangGhost.
Trend Research has identified several Russian IP address ranges, primarily in the towns of Khasan and Khabarovsk, that serve as pivotal infrastructure nodes for Void Dokkaebi operations. These IPs are registered to companies located near the North Korea-Russia border and are obscured by a layered anonymization architecture involving VPNs (notably Astrill VPN), proxies, and RDP sessions. Khasan, located just one mile from North Korea, houses the Korea-Russia Friendship Bridge, which has reportedly facilitated a fiber-optic link since 2017, supporting North Korea’s internet access through TransTelecom, Russia’s second upstream provider to the DPRK. Investigators found that compromised hosts running CCProxy, a legitimate proxy software, were also used to funnel malicious traffic through these Russian nodes.
Telemetry data from Trend Micro indicates that North Korean-aligned IT workers deployed in countries like China, Russia, and Pakistan routinely connect back to North Korean IP addresses through these Russian ranges. Analysts have noted recurring activity involving the same Russian IPs accessing services like cryptocurrency wallets, developer platforms, and encrypted messaging apps. For instance, an IP was observed connecting to a Beavertail command-and-control server and uploading data from compromised systems. The operation is highly distributed and modular, pointing to various cybercriminal cells with differing levels of skill, working in parallel but loosely aligned toward shared financial or intelligence objectives.
Security Officer Comments:
To enable their operations at scale, North Korean actors have created detailed, non-native English-language instructional videos explaining how to set up Beavertail infrastructure, including the use of Dropbox for data exfiltration, deployment of malware scripts, and brute-forcing cryptocurrency wallets using tools like Hashcat and Hashtopolis. The training material appears to be aimed at low-skilled co-conspirators, indicating that while Void Dokkaebi campaigns are not always technically complex, they are well-organized and highly scalable.
Evidence also suggests a convergence of cybercrime and espionage. In instances where financial data is not of value, initial access into victim networks, especially in sensitive sectors like energy, may be handed off to actors with more strategic, espionage-driven objectives. This potential handoff highlights a dual-purpose strategy that combines short-term financial gain with long-term intelligence operations.
As the infrastructure supporting these operations grows, so too does the threat landscape. The use of Russian IP addresses, coupled with physical infrastructure in towns like Khasan and Khabarovsk, suggests possible collusion or at least tolerance from local entities. Given the geopolitical proximity and economic ties between Russia and North Korea, Trend Research assesses with low to medium confidence that there may be intentional cooperation or at minimum, infrastructure sharing between these two nations in support of North Korea's cyber objectives.
Suggested Corrections:
To help mitigate threats like Void Dokkaebi, it's crucial that IT professionals ensure the code is never executed on a production server or on any corporate or personal laptops when they are asked to perform a code review or complete a coding test as part of an interview. Instead, these tasks should be conducted within an isolated virtual environment. This setup prevents access to any private or sensitive information, safeguarding against potential data exfiltration. Once the test is completed, the virtual environment should be securely destroyed to maintain confidentiality.
During the interview process, candidates should also remain vigilant for any indications of deepfakes or AI-generated responses from the interviewers. For instance, if the interviewer consistently provides vague or general answers before addressing the question directly, it may be a sign of the interviewer using AI to formulate the answers. Being aware of these nuances can help ensure a more secure and genuine interview.
Link(s):
https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html
Void Dokkaebi, also known as Famous Chollima, is a financially motivated threat group primarily focused on stealing cryptocurrency from software developers and blockchain enthusiasts through carefully crafted social engineering campaigns. These campaigns frequently masquerade as legitimate job opportunities advertised on platforms like LinkedIn, Upwork, and Freelancer. Threat actors behind these operations pose as recruiters from fictitious companies, such as BlockNovas, to lure unsuspecting developers into fraudulent interviews. During these interviews, victims are asked to complete technical tasks using files hosted on trusted repositories like GitHub or GitLab. Although the code appears benign, it often contains obfuscated scripts that, when executed outside a secure sandbox, initiate malware deployment aimed at exfiltrating cryptocurrency wallets and sensitive credentials. One scheme also tricks applicants into installing malware under the guise of a camera software update. Malware families observed in these campaigns include Beavertail, Invisible Ferret, FrostyFerret, and GolangGhost.
Trend Research has identified several Russian IP address ranges, primarily in the towns of Khasan and Khabarovsk, that serve as pivotal infrastructure nodes for Void Dokkaebi operations. These IPs are registered to companies located near the North Korea-Russia border and are obscured by a layered anonymization architecture involving VPNs (notably Astrill VPN), proxies, and RDP sessions. Khasan, located just one mile from North Korea, houses the Korea-Russia Friendship Bridge, which has reportedly facilitated a fiber-optic link since 2017, supporting North Korea’s internet access through TransTelecom, Russia’s second upstream provider to the DPRK. Investigators found that compromised hosts running CCProxy, a legitimate proxy software, were also used to funnel malicious traffic through these Russian nodes.
Telemetry data from Trend Micro indicates that North Korean-aligned IT workers deployed in countries like China, Russia, and Pakistan routinely connect back to North Korean IP addresses through these Russian ranges. Analysts have noted recurring activity involving the same Russian IPs accessing services like cryptocurrency wallets, developer platforms, and encrypted messaging apps. For instance, an IP was observed connecting to a Beavertail command-and-control server and uploading data from compromised systems. The operation is highly distributed and modular, pointing to various cybercriminal cells with differing levels of skill, working in parallel but loosely aligned toward shared financial or intelligence objectives.
Security Officer Comments:
To enable their operations at scale, North Korean actors have created detailed, non-native English-language instructional videos explaining how to set up Beavertail infrastructure, including the use of Dropbox for data exfiltration, deployment of malware scripts, and brute-forcing cryptocurrency wallets using tools like Hashcat and Hashtopolis. The training material appears to be aimed at low-skilled co-conspirators, indicating that while Void Dokkaebi campaigns are not always technically complex, they are well-organized and highly scalable.
Evidence also suggests a convergence of cybercrime and espionage. In instances where financial data is not of value, initial access into victim networks, especially in sensitive sectors like energy, may be handed off to actors with more strategic, espionage-driven objectives. This potential handoff highlights a dual-purpose strategy that combines short-term financial gain with long-term intelligence operations.
As the infrastructure supporting these operations grows, so too does the threat landscape. The use of Russian IP addresses, coupled with physical infrastructure in towns like Khasan and Khabarovsk, suggests possible collusion or at least tolerance from local entities. Given the geopolitical proximity and economic ties between Russia and North Korea, Trend Research assesses with low to medium confidence that there may be intentional cooperation or at minimum, infrastructure sharing between these two nations in support of North Korea's cyber objectives.
Suggested Corrections:
To help mitigate threats like Void Dokkaebi, it's crucial that IT professionals ensure the code is never executed on a production server or on any corporate or personal laptops when they are asked to perform a code review or complete a coding test as part of an interview. Instead, these tasks should be conducted within an isolated virtual environment. This setup prevents access to any private or sensitive information, safeguarding against potential data exfiltration. Once the test is completed, the virtual environment should be securely destroyed to maintain confidentiality.
During the interview process, candidates should also remain vigilant for any indications of deepfakes or AI-generated responses from the interviewers. For instance, if the interviewer consistently provides vague or general answers before addressing the question directly, it may be a sign of the interviewer using AI to formulate the answers. Being aware of these nuances can help ensure a more secure and genuine interview.
Link(s):
https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html