Secureworks® Counter Threat Unit™ (CTU) researchers are examining connections between North Korean IT worker schemes and a 2016 crowdfunding scam linked to the NICKEL TAPESTRY threat group. The investigation reveals the involvement of designated companies facilitating North Korean IT workers and highlights a fraudulent crowdfunding campaign. Affected: silverstarchina.com, kratosmemory.com
Keypoints :
- CTU researchers are investigating links between North Korean IT worker schemes and a 2016 crowdfunding scam.
- The NICKEL TAPESTRY threat group is attributed to these IT worker schemes.
- Two companies, Yanbian Silverstar and Volasys Silver Star, were designated for violating sanctions.
- Evidence shows North Korean IT workers were operating from China, specifically through Yanbian Silverstar.
- A domain linked to the front companies was used to help North Korean workers find freelance jobs.
- The crowdfunding campaign for a Kratos portable memory device was identified as a scam.
- The scam raised approximately $20,000 USD, showcasing North Korean actors’ experimentation with various schemes.
- CTU recommends organizations to review and restrict access to identified indicators to mitigate exposure.
MITRE Techniques :
- MITRE Technique: T1203 (Exploitation for Client Execution) – Procedure: North Korean IT workers exploited freelance platforms to gain employment and access to funds.
- MITRE Technique: T1071 (Application Layer Protocol) – Procedure: Used domains like silverstarchina.com to facilitate communication and operations.
- MITRE Technique: T1496 (Resource Hijacking) – Procedure: The crowdfunding scam utilized fraudulent means to siphon money from backers.
Indicator of Compromise :
- [IP Address] 36.97.143.26
- [Domain] silverstarchina[.]com
- [Domain] kratosmemory[.]com
- [Email] jinmaolin0628 @ hotmail . com
- Check the article for all found IoCs.
Full Research: https://www.secureworks.com/blog/nickel-tapestry-infrastructure-associated-with-crowdfunding-scheme