Russian VPS Servers With RDP and Proxy Servers Enable North Korean Cybercrime Operations

Trend Research has uncovered a sophisticated network of cybercrime operations linked to North Korea, heavily utilizing Russian internet infrastructure.

Specifically, IP address ranges in the towns of Khasan and Khabarovsk, Russia, assigned to organizations under TransTelecom (ASN AS20485), are pivotal in these activities.

Khasan, just a mile from the North Korea-Russia border and connected via the Korea-Russia Friendship Bridge, and Khabarovsk, with its deep economic and cultural ties to North Korea, serve as strategic hubs.

These IP ranges, including 80.237.84.0/24 and 188.43.136.0/24, are obscured by an extensive anonymization network comprising commercial VPN services like Astrill VPN, proxy servers, and numerous Virtual Private Servers (VPS) accessed via Remote Desktop Protocol (RDP).

This setup masks malicious traffic origins, enabling North Korean-aligned actors, associated with the Void Dokkaebi intrusion set (also known as Famous Chollima), to conduct their operations undetected.

Trend Research’s telemetry indicates that these actors, often DPRK IT workers deployed in countries like China, Russia, and Pakistan, use Russian IP ranges to connect to global VPS servers, engaging in activities such as social engineering on job recruitment platforms like LinkedIn and Upwork, and accessing cryptocurrency services to launder funds or empty stolen wallets.

Sophisticated Social Engineering and Malware Deployment

The Void Dokkaebi campaigns primarily target IT professionals in the cryptocurrency, Web3, and blockchain sectors across countries like Ukraine, the US, and Germany.

A key tactic involves fictitious companies like BlockNovas, which lure victims with fake job interviews on platforms such as LinkedIn.

Applicants are tricked into downloading seemingly legitimate code from repositories like GitHub, which injects malicious scripts like Beavertail and FrostyFerret malware when executed outside isolated environments.

These scripts steal sensitive data, including cryptocurrency wallet credentials, and some compromised devices are integrated into the attackers’ anonymization infrastructure via tools like CCProxy.

Additionally, instructional videos with non-native English text, likely created by conspirators using BlockNovas accounts, detail the setup of Beavertail command-and-control (C&C) servers and password-cracking techniques using tools like Hashtopolis.

Recorded during RDP sessions from Russian IPs such as 188.43.33.251, these videos suggest collaboration with less-skilled foreign accomplices.

Trend Research also notes North Korean IT workers infiltrating Western companies via laptop farms to conceal their remote operations, further amplifying the reach of these campaigns.

Implications and Mitigation Strategies

The reliance on Russian infrastructure, operational since 2017 and expanded since 2023, raises questions about potential cooperation between North Korean and Russian entities, possibly extending to espionage.

With North Korea’s limited domestic internet resources only 1,024 IP addresses the use of foreign infrastructure is critical to scaling their cybercrime, as evidenced by high-profile attacks like the $1.5 billion Bybit hack.

Trend Vision One actively detects and blocks related Indicators of Compromise (IOCs), offering threat intelligence to customers.

To mitigate risks, IT professionals must execute interview-related code in isolated virtual environments and remain vigilant for AI-generated or deepfake interactions during interviews.

As Void Dokkaebi’s scope may expand beyond cryptocurrency theft to espionage, understanding and countering their anonymized infrastructure remains paramount.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!