Cyber Security News

Russian VPS Servers With RDP and Proxy Servers Enable North Korean Cybercrime Operations

Trend Research has uncovered a sophisticated network of cybercrime operations linked to North Korea, heavily utilizing Russian internet infrastructure.

Specifically, IP address ranges in the towns of Khasan and Khabarovsk, Russia, assigned to organizations under TransTelecom (ASN AS20485), are pivotal in these activities.

Khasan, just a mile from the North Korea-Russia border and connected via the Korea-Russia Friendship Bridge, and Khabarovsk, with its deep economic and cultural ties to North Korea, serve as strategic hubs.

These IP ranges, including 80.237.84.0/24 and 188.43.136.0/24, are obscured by an extensive anonymization network comprising commercial VPN services like Astrill VPN, proxy servers, and numerous Virtual Private Servers (VPS) accessed via Remote Desktop Protocol (RDP).

This setup masks malicious traffic origins, enabling North Korean-aligned actors, associated with the Void Dokkaebi intrusion set (also known as Famous Chollima), to conduct their operations undetected.

Russian VPS ServersRussian VPS Servers
BlockNovas website

Trend Research’s telemetry indicates that these actors, often DPRK IT workers deployed in countries like China, Russia, and Pakistan, use Russian IP ranges to connect to global VPS servers, engaging in activities such as social engineering on job recruitment platforms like LinkedIn and Upwork, and accessing cryptocurrency services to launder funds or empty stolen wallets.

Sophisticated Social Engineering and Malware Deployment

The Void Dokkaebi campaigns primarily target IT professionals in the cryptocurrency, Web3, and blockchain sectors across countries like Ukraine, the US, and Germany.

A key tactic involves fictitious companies like BlockNovas, which lure victims with fake job interviews on platforms such as LinkedIn.

Applicants are tricked into downloading seemingly legitimate code from repositories like GitHub, which injects malicious scripts like Beavertail and FrostyFerret malware when executed outside isolated environments.

These scripts steal sensitive data, including cryptocurrency wallet credentials, and some compromised devices are integrated into the attackers’ anonymization infrastructure via tools like CCProxy.

Current contents of BlockNovas domain

Additionally, instructional videos with non-native English text, likely created by conspirators using BlockNovas accounts, detail the setup of Beavertail command-and-control (C&C) servers and password-cracking techniques using tools like Hashtopolis.

Recorded during RDP sessions from Russian IPs such as 188.43.33.251, these videos suggest collaboration with less-skilled foreign accomplices.

Trend Research also notes North Korean IT workers infiltrating Western companies via laptop farms to conceal their remote operations, further amplifying the reach of these campaigns.

Implications and Mitigation Strategies

The reliance on Russian infrastructure, operational since 2017 and expanded since 2023, raises questions about potential cooperation between North Korean and Russian entities, possibly extending to espionage.

With North Korea’s limited domestic internet resources only 1,024 IP addresses the use of foreign infrastructure is critical to scaling their cybercrime, as evidenced by high-profile attacks like the $1.5 billion Bybit hack.

Trend Vision One actively detects and blocks related Indicators of Compromise (IOCs), offering threat intelligence to customers.

To mitigate risks, IT professionals must execute interview-related code in isolated virtual environments and remain vigilant for AI-generated or deepfake interactions during interviews.

As Void Dokkaebi’s scope may expand beyond cryptocurrency theft to espionage, understanding and countering their anonymized infrastructure remains paramount.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…

2 hours ago

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded by…

2 hours ago

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s Black…

2 hours ago

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals and…

3 hours ago

Phishing Campaign Uses Blob URLs to Bypass Email Security and Avoid Detection

Cybersecurity researchers at Cofense Intelligence have identified a sophisticated phishing tactic leveraging Blob URIs (Uniform…

3 hours ago

VMware Tools Vulnerability Allows Attackers to Modify Files and Launch Malicious Operations

Broadcom-owned VMware has released security patches addressing a moderate severity insecure file handling vulnerability in…

5 hours ago