A North Korean-linked individual known as Sapphire Slit is estimated to have stolen more than $10 million worth of cryptocurrency in social engineering campaigns organized over a six-month period.
These findings Microsoft said several threat clusters linked to the country were creating fake LinkedIn profiles posing as both recruiters and job seekers in order to generate illicit profits for the sanctioned country.
Known to be active since at least 2020, Sapphire Sleet aligns with hacker groups tracked as APT38 and BlueNoroff. In November 2023 a technology giant revealed that the threat actor created an infrastructure that mimicked skills assessment portals to conduct its social engineering campaigns.
One of the main methods adopted by the group for more than a year is to pose as a venture capitalist, falsely claiming a stake in a target user’s company in order to set up an online meeting. Entities who fall for the bait and try to join the meeting are shown error messages urging them to contact the room administrator or support for assistance.
When the victim accesses the threat, they are sent either an AppleScript (.scpt) file or a Visual Basic Script (.vbs) file, depending on the operating system used to resolve the alleged connection problem.
Under the hood, the script is used to download malware onto a compromised Mac or Windows machine, ultimately allowing attackers to obtain credentials and cryptocurrency wallets for later theft.
Sapphire Sleet was identified as a recruiter for financial firms such as Goldman Sachs on LinkedIn to contact potential targets and ask them to complete a skills assessment posted on a website they controlled.
“A threat actor sends a login account and password to the targeted user,” Microsoft said. “By logging into the website and downloading the code associated with the skills assessment, the target user downloads malware onto their device, allowing attackers to gain access to the system.”
Redmond also described North Korea sending thousands of IT workers abroad as a triple threat that makes money for the regime through “legitimate” work, allows them to abuse their access to take over intellectual property, and facilitates data theft in exchange for ransom.
“Because it is difficult for a person in North Korea to register for things like a bank account or a phone number, IT workers must use intermediaries to help them access platforms where they can apply for remote work,” it said. “These intermediaries are used by IT workers for tasks such as creating an account on a freelancer website.”
This includes creating fake profiles and portfolios on developer platforms like GitHub and LinkedIn to communicate with recruiters and apply for jobs.
In some cases, they also discovered the use of artificial intelligence (AI) tools such as Faceswap to alter photos and documents stolen from victims, or display them against professional-looking settings. These images are then used in resumes or profiles, sometimes for multiple personas, that are submitted for job applications.
“In addition to using artificial intelligence to help create images used in job applications, North Korean IT workers are experimenting with other artificial intelligence technologies, such as voice-changing software,” Microsoft said.
“North Korean IT workers appear to be very organized when it comes to tracking payments received. In total, this group of North Korean IT workers appears to have earned at least US$370,000 from their efforts.”
