Cyber Security News

Russian VPS Servers With RDP and Proxy Servers Enable North Korean Cybercrime Operations

Trend Research has uncovered a sophisticated network of cybercrime operations linked to North Korea, heavily utilizing Russian internet infrastructure.

Specifically, IP address ranges in the towns of Khasan and Khabarovsk, Russia, assigned to organizations under TransTelecom (ASN AS20485), are pivotal in these activities.

Khasan, just a mile from the North Korea-Russia border and connected via the Korea-Russia Friendship Bridge, and Khabarovsk, with its deep economic and cultural ties to North Korea, serve as strategic hubs.

These IP ranges, including 80.237.84.0/24 and 188.43.136.0/24, are obscured by an extensive anonymization network comprising commercial VPN services like Astrill VPN, proxy servers, and numerous Virtual Private Servers (VPS) accessed via Remote Desktop Protocol (RDP).

This setup masks malicious traffic origins, enabling North Korean-aligned actors, associated with the Void Dokkaebi intrusion set (also known as Famous Chollima), to conduct their operations undetected.

Russian VPS ServersRussian VPS Servers
BlockNovas website

Trend Research’s telemetry indicates that these actors, often DPRK IT workers deployed in countries like China, Russia, and Pakistan, use Russian IP ranges to connect to global VPS servers, engaging in activities such as social engineering on job recruitment platforms like LinkedIn and Upwork, and accessing cryptocurrency services to launder funds or empty stolen wallets.

Sophisticated Social Engineering and Malware Deployment

The Void Dokkaebi campaigns primarily target IT professionals in the cryptocurrency, Web3, and blockchain sectors across countries like Ukraine, the US, and Germany.

A key tactic involves fictitious companies like BlockNovas, which lure victims with fake job interviews on platforms such as LinkedIn.

Applicants are tricked into downloading seemingly legitimate code from repositories like GitHub, which injects malicious scripts like Beavertail and FrostyFerret malware when executed outside isolated environments.

These scripts steal sensitive data, including cryptocurrency wallet credentials, and some compromised devices are integrated into the attackers’ anonymization infrastructure via tools like CCProxy.

Current contents of BlockNovas domain

Additionally, instructional videos with non-native English text, likely created by conspirators using BlockNovas accounts, detail the setup of Beavertail command-and-control (C&C) servers and password-cracking techniques using tools like Hashtopolis.

Recorded during RDP sessions from Russian IPs such as 188.43.33.251, these videos suggest collaboration with less-skilled foreign accomplices.

Trend Research also notes North Korean IT workers infiltrating Western companies via laptop farms to conceal their remote operations, further amplifying the reach of these campaigns.

Implications and Mitigation Strategies

The reliance on Russian infrastructure, operational since 2017 and expanded since 2023, raises questions about potential cooperation between North Korean and Russian entities, possibly extending to espionage.

With North Korea’s limited domestic internet resources only 1,024 IP addresses the use of foreign infrastructure is critical to scaling their cybercrime, as evidenced by high-profile attacks like the $1.5 billion Bybit hack.

Trend Vision One actively detects and blocks related Indicators of Compromise (IOCs), offering threat intelligence to customers.

To mitigate risks, IT professionals must execute interview-related code in isolated virtual environments and remain vigilant for AI-generated or deepfake interactions during interviews.

As Void Dokkaebi’s scope may expand beyond cryptocurrency theft to espionage, understanding and countering their anonymized infrastructure remains paramount.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

18 hours ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

19 hours ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

19 hours ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

20 hours ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

20 hours ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

20 hours ago