A subgroup within the infamous Lazarus Group, recognized as Sapphire Sleet, has recently altered its modus operandi by employing a variant of the Phobos ransomware in its financially motivated cyberattacks. This strategic shift has been documented by cybersecurity researchers at Cisco Talos, who have observed an uptick in activities carried out by these cybercriminals.
Sapphire Sleet, also known by various aliases such as APT38, BlueNoroff, CageyChameleon, and CryptoCore, has gained notoriety for orchestrating cryptocurrency theft through the use of sophisticated social engineering techniques. The recent campaigns conducted by this threat group have introduced a notable change, with the adoption of a variant of the Phobos ransomware, which is distributed through the SmokeLoader backdoor trojan.
Traditionally, SmokeLoader has been utilized by threat actors to drop or download additional payloads when deployed. However, in the context of 8Base campaigns orchestrated by Sapphire Sleet, it has taken on a new role. The ransomware component is now embedded within its encrypted payloads, effectively becoming an integral part of the SmokeLoader process. The cybersecurity researchers have identified a deliberate focus on targeting platforms like LinkedIn, employing lures related to skills assessment. Once successful communication is established with the targeted individuals, the threat actors then transition to other platforms for further interaction.
Previous tactics employed by the hacking group involved sending malicious attachments directly or embedding links within legitimate websites like GitHub. However, the swift detection and removal of these payloads may have prompted Sapphire Sleet to evolve its strategy by creating its network of websites dedicated to malware distribution. Notably, these malicious domains hosting the websites are password-protected, adding an additional layer of complexity to impede analysis efforts.
The findings from Cisco Talos shed light on the evolving tactics of Sapphire Sleet, showcasing their adaptability to circumvent detection mechanisms. The group’s continued use of ransomware, particularly the Phobos variant, emphasizes the persistent threat they pose to organizations, highlighting the importance of robust cybersecurity measures to defend against such cybercriminal activities.