North Korean state-sponsored cybercriminals have been time and again accused of buying access to pre-hacked servers from other threat actors. However, lately, connections have emerged between the North Korea-based Lazarus APT group and some of the prominent Russian-speaking cybercriminal groups.

TrickBot, Dridex, and TA505 are threat groups linked to various Russian-speaking threat actors who sell access to victims’ systems on the dark web. Lazarus has been found to be infrequently using TrickBot’s codes in its attacks.

TrickBot is a privately-run Malware-as-a-Service (Maas) offering, which can be accessed by only top-tier threat actors.

TA505 is a cybercriminal group that has purchased a huge number of tools from the underground.

According to a report by LEXFO, past Lazarus infections have been spotted to coexist with TrickBot and Emotet.
TA505 and Lazarus IOCs were found together in bank networks.

North Korea-based hackers may “be working with or contracting out to criminal hacking groups, like TA505, for initial access development.”

Based on the different incidents, experts assess that there is a connection between Lazarus and Russian-speaking cybercriminals.

TrickBot appears to possess a treasure trove of compromised accesses that Lazarus can definitely leverage.

It is very likely that threat actors with access to TrickBot infections are in touch with North Korean state-sponsored hackers. Knowing that there is a link between different threat actors provides defenders an opportunity to identify a potential second problem when the first one occurs.