Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label lazarus. Show all posts
Zoom
APTs cryptocurrency CyberCrime Cyberfraud Cyberhackers Cybersecurity CyberThreat Elusive lazarus Privacy Zoom

Zoom Platform Misused by Elusive Comet Attackers in Fraud Scheme

 


Recent reports suggest that North Korean threat actors are now employing an alarming evolution in the tactics they employ to launch a sophisticated cybercrime operation known as Elusive Comet, a sophisticated cybercrime operation. This newly uncovered campaign demonstrates a way of exploiting Zoom's remote control capabilities to gain unauthorised access to cryptocurrency industry users' systems. 

It is clear from this development that a significant trend is occurring in which widely trusted communication platforms are being exploited as tools to facilitate high-level cyber intrusions. Security Alliance, one of the most reputable cybersecurity research organisations, conducted the investigation and analysis that led to the discovery. Elusive Comet exhibited some significant operational similarities to activities previously associated with North Korea's notorious Lazarus Group, a group which has been linked to North Korea for some years. 

The findings suggest that definitive attribution is yet to be made. Due to the lack of conclusive evidence, attempts to link this campaign with any known state-sponsored entity have been complicated, further demonstrating how covert cyberattacks have become increasingly common in the financial sector. This campaign, according to security experts, marks a dramatic departure from the traditional methods of gaining access to cryptocurrency targets previously used to attack them. This is because the attackers can leverage legitimate features of mainstream platforms such as Zoom, which not only makes their operations more successful but also makes detection and prevention much more difficult. 

Using such ubiquitous communication tools emphasises the need for enhanced security protocols in industries that handle digital assets to stay on top of digital threats. With the emergence of Elusive Comet, the threat landscape continues to evolve, and adversaries are increasingly adopting innovative approaches to bypass traditional defences, a reminder that the threat landscape is constantly changing and that adversaries are continuously evolving. The threat actors behind Elusive Comet have invested considerable resources into establishing a convincing online persona to maintain an appearance of legitimacy. 

To reinforce their facade of authenticity, they operate credible websites and maintain active social media profiles. As one example of the fraudulent entities that are associated with the group, Aureon Capital, a fake venture capital company posing as a legitimate company, Aureon Press, and The OnChain Podcast have all been carefully designed to trick unsuspecting individuals and businesses. 

The attackers usually contact users by sending them direct messages via X (formerly Twitter), or by contacting them via email, or by offering invitations to appear on their fabricated podcast as a guest. In the study, researchers found that after initiating contact and establishing a certain level of trust, attackers then move swiftly to set up a Zoom meeting under the pretext of learning more about the target's professional activities. 

It is common for key meeting details to be withheld until very near the time of the scheduled meeting, a tactic employed by the organisation to create an impression of urgency and encourage compliance among participants. A common occurrence is that victims are often asked to share their screens during the call so that they can demonstrate their work, and in doing so, they unknowingly expose their sensitive systems and data to the attackers. As a result of the Elusive Comet operation, Jake Gallen, CEO of the cryptocurrency company Emblem Vault, lost over $100,000 of his digital assets, which included his company's cryptocurrency. As a result, he was targeted after agreeing to participate in a Zoom interview with someone who was posing as a media person. 

By manipulating Gallen during the session into granting remote access to his computer under the disguise of technical facilitation, the attacker succeeded in obtaining his permission to do so. The attackers were able to install a malicious payload, referred to by the attackers as "GOOPDATE," which allowed them to gain access to his cryptocurrency wallets and steal the funds that resulted from this attack. 

It is clear from this incident that cryptocurrencies are vulnerable, especially among executives and high-net-worth individuals who interact regularly with media outlets and investors, which makes them particularly susceptible to sophisticated social engineering schemes because of their high level of exposure to these media outlets. Additionally, the breach emphasises that professionals operating in high-value financial sectors should have heightened awareness of cybersecurity and adopt stricter digital hygiene policies. 

A leading cybersecurity research and advisory firm specialising in forensics and advanced persistent threats (APTS), Security Alliance, meticulously tracked and analysed the Elusive Comet campaign, a campaign that is highly likely to persist for many years to come. Security Alliance published a comprehensive report in March 2025 detailing the tactics, techniques, and procedures (TTPS) used by threat actors and presenting comprehensive insights into these tactics. In their research, the attackers were able to install malware on victims' systems based primarily on a combination of social engineering and using Zoom's remote control features to get their malicious code into the systems of their victims. 

Despite drawing parallels between the methods used to conduct this campaign and those of the notorious Lazarus Group of North Korea, Security Alliance exercised caution when attributions were made. It was noted in the research that the similarities in techniques and tools could indicate common origins or shared resources; however, the researchers stressed the difficulties associated with attribution in a cyber threat landscape where various actors tend to duplicate or repurpose the methodologies of each other. 

Taking into account the methods employed by the Elusive Comet campaign, cryptocurrency professionals are strongly advised to take a comprehensive and proactive security posture to reduce the risk of falling victim to the same types of sophisticated attacks again. First and foremost, companies and individuals should make sure that Zoom's remote control feature is disabled by default, and that it is only enabled when necessary by the organisation and the individual. This functionality can be significantly restricted by restricting the use of this feature, which reduces the chances of cybercriminals exploiting virtual engagements as well.

It is also important to exercise increased caution in responding to unsolicited meeting invitations. When invitations are sent by an unknown or unverified source, it is essential to verify the identity of the requester through independent channels. In order to increase account security in cryptocurrency-related platforms, including digital wallets and exchanges, it is imperative to implement multi-factor authentication (MFA) as a critical barrier. 

MFA serves as an additional layer of protection if credentials are compromised as well, providing an extra layer of defence. Further, it will be beneficial for organisations to deploy robust endpoint protection solutions as well as maintain all software, including communication platforms such as Zoom, consistently updated, to protect against the exploitation of known vulnerabilities. Additionally, regular cybersecurity education and training for employees, partners, and key stakeholders is also extremely important. 

An organisation can strengthen the security awareness of its teams through the development of a culture of security awareness, which will allow them to identify and resist threat actors' tactics, such as social engineering, phishing attacks, and other deceptive tactics. The Elusive Comet operation highlights a broader, more dangerous threat to the cryptocurrency industry as cybercriminals are increasingly manipulating trusted communication tools to launch highly targeted and covert attacks targeting the crypto market. 

There is a strong possibility that the attacker may have been part of the North Korean Lazarus Group, but an official attribution remains elusive, further illustrating the difficulty in identifying cyber threat actors, yet there are some clear lessons to be learned from this attack. 

As today's cybersecurity landscape becomes more volatile and more complex, it is more important than ever for organisations to maintain vigilance, implement rigorous security protocols, and continually adapt to emerging threats to survive. The adversaries are continually refining their tactics, so the only people who can successfully safeguard the assets and reputation of their organisations and businesses against evolving threats to their identity and reputation will be those who invest in resilient defence strategies.
Read more »
X
Apple lazarus Linkedin macOS malware Microsoft X

Lazarus Gang Targets Job Seekers to Install Malware

Lazarus Gang Targets Job Seekers to Install Malware

North Korean hackers responsible for Contagious Interview are trapping job seekers in the cryptocurrency sector by using the popular ClickFix social-engineering attack strategy. They aimed to deploy a Go-based backdoor— earlier undocumented— known as GolangGhost on Windows and macOS systems. 

Hackers lure job seekers

The latest attack, potentially a part of a larger campaign, goes by the codename ClickFake Interview, according to French cybersecurity company Sekoia. Aka DeceptiveDeployment, DEV#POPPER, and Famoys Chollima; Contagious Interview has been active since December 2022, however, it was publicly reported only after late 2023. 

The attack uses legitimate job interview sites to promote the ClickFix tactic and deploy Windows and MacOS backdoors, said Sekoia experts Amaury G., Coline Chavane, and Felix Aimé, attributing the attack to the notorious Lazarus Group. 

Lazarus involved

One major highlight of the campaign is that it mainly attacks centralized finance businesses by mimicking firms like Kraken, Circle BlockFi, Coinbase, KuCoin, Robinhood, Tether, and Bybit. Traditionally, Lazarus targeted decentralized finance (DeFi) entities. 

Attack tactic explained

Like Operation Dream Job, Contagious Interview also uses fake job offers as traps to lure potential victims and trick them into downloading malware to steal sensitive data and cryptocurrency. The victims are approached via LinkedIn or X to schedule a video interview and asked to download malware-laced video conference software that triggers the infection process. 

Finding of Lazarus ClickFix attack

Security expert Tayloar Monahan first reported the Lazarus Group’s use of ClickFix in late 2022, saying the attack chains led to the installment of a malware strain called FERRET that delivered the Golang backdoor. In this malware campaign, the victims are prompted to use a video interview, ‘Willow,’ and do a sell video assessment. 

The whole process is carefully built to gain users and “proceeds smoothly until the user is asked to enable their camera,” Sekoia said. At this stage, an “error message appears, indicating that the user needs to download a driver to fix the issue. This is where the operator employs the ClickFix technique," adds Sekoia. 

Different attack tactics for Windows and MacOS users

The prompts given to victims may vary depending on the OS. For Windows, victims are asked to open the Command Prompt and run a curl command to perform a Visual Basic Script (VBS) file to launch a basic script to run GolanGhost. MacOS victims are prompted to open the Terminal app and perform a curl command to run a malicious shell script, which then runs another shell script that runs a stealer module called FROSTYFERRET—aka ChromwUpdateAlert— and the backdoor. 

Read more »
TraderTraitor
Bitcoin Cyber Attacks CyberCrime Cybersecurity CyberThreat DMM FBI Ginco lazarus TraderTraitor

Bitcoin Heist in Japan Attributed to North Korean Cybercriminals

 


A joint alert from the FBI, the Department of Defense (D.O.D.) Cyber Crime Center and the National Police Agency of Japan reveal that a North Korean threat group carried out a significant cryptocurrency theft from Japan's crypto firm DMM in May 2024. The group, referred to as TraderTraitor—also known as Jade Sleet, UNC4899, and Slow Pisces — is believed to be linked to the Lazarus Group, a notorious hacking collective with ties to Pyongyang authorities.

The Lazarus Group, infamous for high-profile cyberattacks, gained notoriety for hacking Sony Pictures in retaliation for the 2009 film The Interview, which mocked North Korean leader Kim Jong Un. Their recent activities, however, focus on cryptocurrency theft, leveraging advanced social engineering techniques and malicious code.

Social Engineering and the Ginco Incident

In late March 2024, a TraderTraitor operative posing as a recruiter contacted an employee of Ginco, a Japanese cryptocurrency wallet software company, via LinkedIn. Disguised as part of a pre-employment process, the operative sent a malicious Python script under the guise of a coding test. The employee unknowingly uploaded the script to their GitHub account, granting the attackers access to session cookie information and Ginco’s wallet management system.

The attackers intercepted legitimate transaction requests from DMM employees by maintaining this access. This led to the theft of over 4,500 bitcoins, valued at $308 million. The funds were traced to accounts managed by the TraderTraitor group, which utilized mixing and bridging services to obfuscate the stolen assets.

North Korea's Financial Strategy and Cryptocurrency Exploitation

With international sanctions severely restricting North Korea's access to global financial systems, the regime increasingly relies on cybercrime and cryptocurrency theft for revenue generation. Due to their decentralized and pseudonymous nature, cryptocurrency presents a lucrative target for laundering stolen funds and bypassing traditional banking systems.

Chainalysis Findings

Blockchain intelligence firm Chainalysis attributed the DMM Bitcoin hack to North Korean actors. The attackers exploited weaknesses in the platform's infrastructure to perform unauthorized withdrawals. The stolen cryptocurrency was routed through multiple intermediary addresses and processed via the Bitcoin CoinJoin mixing service to conceal its origins. Portions of the funds were further transferred through various bridge services before being channelled to HuiOne Guarantee, a website linked to the Cambodian conglomerate HuiOne Group, a known facilitator of cybercrime.

Additional Findings by AhnLab Security Intelligence Center

The AhnLab Security Intelligence Center (ASEC) has reported another North Korean threat actor, Andariel — part of the Lazarus Group — deploying a backdoor known as SmallTiger. This tool has been used in campaigns parallel to those executed by TraderTraitor, highlighting the group's continued evolution in cybercrime tactics.

The coordinated alert from international agencies underscores the urgent need for enhanced cybersecurity measures within the cryptocurrency industry to counter sophisticated threats like those posed by the Lazarus Group and its affiliates.


Read more »
Web3
Bitcoin Crypto Currency ETF Ether lazarus North Korea Web3

North Korean Hackers Attacking Crypto Industry, Billions at Risk

North Korean Hackers Attacking Crypto Industry, Billions at Risk

The United States Federal Bureau of Investigation (FBI) has recently highlighted a significant cybersecurity threat posed by North Korean cybercriminals targeting the web3 and cryptocurrency sectors. 

Why Hackers Target ETFs?

The cryptocurrency industry has witnessed tremendous growth, Ether and Bitcoin are game changers. The rise has led to financial instruments like ETFs (Exchange-traded funds) that allow investors access without owning them directly. But, with the increase of crypto technologies, security questions have also surfaced. 

The United States FBI recently warned about a major cybersecurity threat from North Korean hackers targeting cryptocurrency and web3 sectors. Billions of dollars go into these crypto ETFs, but investors shouldn’t be hasty to think their assets are secure. 

Lazarus Behind Attacks

Lazarus (a North Korean state-sponsored group) is no stranger to the cryptocurrency market and is allegedly responsible for various attacks against famous exchanges and blockchain protocols. Officials are concerned about hackers attacking crypto-backed ETFs by targeting the underlying assets. 

North Korean hackers are using advanced engineering methods to fool employees at decentralized finance (DeFi) and cryptocurrency firms. The hackers impersonate high-profile figures within an organization and or make specific scenarios based on the target’s position, business interests, or skills to get in their good books. 

“The actors may also impersonate recruiting firms or technology companies backed by professional websites designed to make the fake entities appear legitimate. Examples of fake North Korean websites can be found in affidavits to seize 17 North Korean domains, as announced by the Department of Justice in October 2023,” the FBI warned.

The FBI Warning

The FBI has warned against storing private cryptocurrency wallet data on web-connected devices as they may be victims of hacking attacks. If these requests come from unfamiliar sources, organizations should be careful when using non-standard software or applications on their network.

North Korean hackers have already stolen sensitive data from Bitcoin companies by using fake job ads. The FBI’s warning is a wake-up call for web3 and cryptocurrency firms to advance their cybersecurity systems and be careful against these rising attacks. 

“The actors usually attempt to initiate prolonged conversations with prospective victims to build rapport and deliver malware in situations that may appear natural and non-alerting. If successful in establishing bidirectional contact, the initial actor, or another member of the actor’s team, may spend considerable time engaging with the victim to increase the sense of legitimacy and engender familiarity and trust,” the FBI reports.

Read more »
zero Day vulnerability
APTs Citrine Sleet CyberCrime Cybersecurity CyberThreat FudModule Rootkit Googlex Chrome lazarus Microsoft ransomware attacks Vulnerabilites and Exploits zero Day vulnerability

Citrine Sleet APT Exploits Chrome Zero-Day Vulnerability for Rootkit Infiltration

 


It is believed that North Korean hackers have been able to use unpatched zero-day in Google Chrome (CVE-2024-7971) to install a rootkit called FudModule after gaining admin privileges by exploiting a kernel vulnerability in Microsoft Windows. An investigation by Microsoft has revealed that a North Korean threat actor exploited a zero-day vulnerability in the Chromium browser that has been tracked as CVE-2024-7971 to conduct a sophisticated cyber operation.  

According to the report, Citrine Sleet, the notorious group behind the attack that targets cryptography sectors in particular, is responsible for the attack. It has been reported that CVE-2024-7971 is a type of confusion vulnerability in the V8 JavaScript and WebAssembly engine that had been impacted in versions of Chrome before 128.0.6613.84. By exploiting this vulnerability, threat actors could gain remote code execution (RCE) access to the sandboxed Chromium renderer process and conduct a remote attack. 

There was a vulnerability that was fixed by Google on August 21, 2024, and users should ensure that they are running the most recent version of Chrome. It is clear from this development that the nation-state adversary is trying to increase its penetration of Windows zero-day exploits in recent months, indicating that they are persistent in their efforts to acquire and introduce oodles of zero-day exploits. 

A Microsoft security researcher found evidence that Citrine Sleet (formerly DEV-0139 and DEV-1222) was responsible for the activity. Citrine Sleet is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736, all of which are associated with Citrine Sleet. There is an assessment that this sub-cluster is part of the Lazarus Group (a.k.a. Diamond Sleet and Hidden Cobra) which is related to Lazarus. 

Several analysts have previously credited the use of AppleJeus malware to a Lazarus subgroup called BlueNoroff (also known as APT38, Nickel Gladstone, and Stardust Chollima), indicating the fact that the threat actors share both toolsets and infrastructure from one subgroup to another. Some cybersecurity vendors maintain track of this North Korean threat group under different names, such as AppleJeus, Labyrinth Chollima, and UNC4736, among others. 

Hidden Cobra is a term used by the U.S. government to describe malicious actors sponsored by the North Korean government collectively as being influenced by the state. It is mostly targeted at financial institutions, with a special focus on cryptocurrency organizations and individuals who are closely associated with the cryptocurrency industry. 

In the past, it has been linked to Bureau 121 of the Reconnaissance General Bureau of North Korea, where it practices intelligence gathering. Moreover, North Korean hackers are also known for using malicious websites that appear to be legitimate cryptocurrency trading platforms to infect prospective victims with fake job applications, weaponized cryptocurrency wallets, and cryptocurrency trading apps designed to steal sensitive information. 

This is the first time UNC4736 malware has been identified in a supply chain attack, for example in March 2023 it attacked the Electron-based desktop client of video conferencing software provider 3CX. Further, they were able to breach the website of Trading Technologies, an automation company for stock market trading, to sneakily push trojanized versions of the X_TRADER software into the system. In a March 2022 report, Google's Threat Analysis Group (TAG) also linked AppleJeus to the compromise of Trading Technologies' website, highlighting AppleJeus as being behind the attack. 

For years, the U.S. government has repeatedly issued warnings about state-sponsored cyberattacks targeting cryptocurrency-related businesses and individuals with AppleJeus malware that is backed by the North Korean government. As a result of the security vulnerability CVE-2024-7971 that was discovered last week, Google patched Chrome's version 8 JavaScript engine and reported it as a type confusion vulnerability. 

In a recent cybersecurity incident report, it was revealed that victims were directed to a domain controlled by the threat group Citrine Sleet, identified as voyagorclub[.]space. The exact method by which victims were lured to this domain remains undetermined, though it is suspected that social engineering tactics were employed. This is consistent with Citrine Sleet’s established modus operandi, which frequently involves manipulating individuals through social engineering to initiate attacks. 

Upon successful redirection to the malicious domain, attackers leveraged a zero-day remote code execution (RCE) vulnerability, identified as CVE-2024-7971. This vulnerability is linked to a type of confusion flaw in Chrome’s V8 JavaScript engine. Google addressed this security issue in a recent patch, highlighting that it allowed attackers to achieve RCE within the sandboxed Chromium renderer process of the victim's browser. Once inside this sandboxed environment, the attackers further escalated their access by exploiting a secondary vulnerability in the Windows kernel. 

The additional vulnerability, CVE-2024-38106, was exploited to escape the browser’s sandbox environment. This kernel vulnerability, which Microsoft had patched in their latest Patch Tuesday release, allowed attackers to gain SYSTEM-level privileges on the compromised system. Following this, the attackers downloaded and activated a highly sophisticated rootkit known as FudModule. This malware, when loaded into memory, enabled direct kernel object manipulation (DKOM), providing attackers with the capability to bypass critical kernel security measures.

The FudModule rootkit is particularly concerning, as it is designed to manipulate kernel-level processes, enabling attackers to establish persistent backdoor access to the compromised system. Through DKOM, the rootkit effectively tampers with core system functions, allowing attackers to evade detection, steal sensitive information, and potentially deploy additional malicious software. Interestingly, the FudModule rootkit has been linked to another North Korean state-sponsored group known as Diamond Sleet, which has utilized this malware since its discovery in October 2022. 

This suggests a potential collaboration between Citrine Sleet and Diamond Sleet or, at the very least, shared access to malicious tools and infrastructure. Furthermore, the rootkit bears similarities to tools used by another notorious hacking group, the Lazarus Group, indicating that FudModule may be part of a broader North Korean cyber-espionage toolkit. Citrine Sleet's attack demonstrates a highly coordinated and multi-faceted approach, beginning with social engineering techniques to lure victims to a compromised domain and culminating in the exploitation of critical vulnerabilities to gain deep control over target systems. 

By leveraging both CVE-2024-7971 and CVE-2024-38106, the attackers were able to bypass multiple layers of security, from browser sandboxing to Windows kernel defences. Microsoft has issued a series of recommendations to help organizations mitigate the risk of such attacks. They stress the importance of maintaining up-to-date software and operating systems, as timely patching is critical to closing vulnerabilities before they can be exploited. 

Additionally, Microsoft advocates for the deployment of security solutions that provide unified visibility across the entire cyberattack chain. Such tools can detect and block attacker tools and post-compromise malicious activity. Lastly, strengthening the configuration of the operating environment is recommended to minimize the likelihood of successful exploitation and post-compromise activity. This incident underscores the evolving nature of cyber threats and highlights the importance of proactive cybersecurity measures to detect, block, and mitigate advanced persistent threats (APTs).
Read more »
Unibot
Apple MacOS Cryptocurrency exchange KandyKorn KandyKorn malware lazarus Lazarus Group malware North Korean Hackers Unibot

KandyKorn: Apple MacOS Malware Targets Blockchain Engineers of Crypto Exchange Platform


A new malware linked to the North Korean threat group Lazarus was discovered on Apple’s macOS, and it appears that it was intended for the blockchain engineers of a crypto exchange platform. 

KandyKorn Malware 

According to a study conducted by Elastic Security Labs, the malware, dubbed as ‘KandyKorn’ is a sophisticated backdoor that could be used to steal data, directory listing, file upload/download, secure deletion, process termination, and command execution.

At first, the attackers used Discord channels to propagate Python-based modules by pretending to be active members of the community.

Apparently, the social engineering attacks pose as an arbitrage bot intended to generate automatic profits by coercing its members into downloading a malicious ZIP archive called “Cross=platform Bridges.zip.” However, there are 13 malicious modules that are being imported by the file to work together in order to steal and alter the stolen information. 

The report reads, “We observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS, known as execution flow hijacking.”

Users of Unibot were notified by blockchain analytics company Scopescan about an ongoing hack, which was subsequently verified by an official source:

“We experienced a token approval exploit from our new router and have paused our router to contain the issue.” Later, Unibot guaranteed that it would compensate all the victims who lost their funds in the exploit. 

Lazarus Group/ Lazarus is a North Korean state-sponsored cyber threat group, linked to the Reconnaissance General Bureau that operates out of North Korea. As part of a campaign called Operation Blockbuster by Novetta, the group, which has been operating since at least 2009, is said to have been behind the devastating wiper attack against Sony Pictures Entertainment in November 2014. The malware that Lazarus Group uses is consistent with other known campaigns, such as DarkSeoul, Operation Flame, Operation 1Mission, Operation Troy, and Ten Days of Rain.

However, in certain definitions of the North Korean group, security researchers apparently report all North Korean state-sponsored cyber activities under the term Lazarus Group instead of tracking clusters or subgroups like Andariel, APT37, APT38, and Kimsuky.

The crypto industry remains a main target for Lazarus, with a primary motivation of profit rather than espionage, which is their second primary operational focus.

The fact that KandyKorn exists proves that macOS is well within Lazarus's target range and highlights the threat group's amazing ability to create subtle and sophisticated malware specifically designed for Apple devices.  

Read more »
State Sponsored Hackers
cyber espionage lazarus malware Malware loader State Sponsored Hackers

North Korean Links: Lazarus Group Strikes Again. This time via Unpatched Software Flaws


North Korean hackers spreading malware through legit software

North Korean hackers are spreading malware by exploiting known flaws in genuine software. The Lazarus group targets a version of an undisclosed software product for which vulnerabilities have been documented and solutions are available in a new campaign discovered by Kaspersky researchers.

Despite the vulnerabilities being disclosed and patched, the new advanced persistent threat campaign attacking companies globally used known flaws in a previous version of an unnamed software to encrypt web connection via digital certificates.

Threat actors used software to gain entry points

According to Kaspersky, hackers from the Lazarus group exploited the insecure software and used it as an entry point to breach organizations and encrypt web communication using digital certificates.

North Korea uses "cyber intrusions to conduct both espionage and financial crime in order to project power and finance both their cyber and kinetic capabilities," according to research by Google's Mandiant threat intelligence department. 

UN alleges North Korean links

Under Kim Jong Un's leadership, the DPRK is linked with a variety of state-sponsored hacking teams both at home and abroad that collect espionage on allies, opponents, and defectors, as well as hack banks and steal cryptocurrency. The UN has earlier accused North Korea of using stolen assets to fund the country's long-range missile and nuclear weapons programs, as well as enticing the country's officials.

To control the victim, hackers used SIGNBT malware and the infamous LPEClient tool, which experts have seen in attacks targeting defense contractors, nuclear engineers, and the cryptocurrency sector, and which was discovered in the infamous 3CX supply chain attack. "This malware acts as the initial point of infection and plays a crucial role in profiling the victim and delivering the payload," said experts.

According to Kaspersky, the developers of the unknown software previously became a target to Lazarus. According to the report, this repeated breach indicates a determined and persistent threat actor with the likely goal of compromising important source code or interfering with the software supply chain.

A deep look into the malware

According to Kaspersky experts, in mid-July, they noticed an increasing number of attacks on many victims utilizing the prone software, and they discovered post-exploitation activity within the genuine software's processes.

To establish and maintain efforts on hacked machines, the threat actor used a variety of techniques, including the development of a file called ualapi.dll in the system folder, which is loaded by default by the spoolsv.exe process at each system boot. According to the experts, Lazarus hackers also built registry entries to run genuine files for the purpose of malicious side-loading, assuring a durable persistence mechanism.

Lazarus used that malware loader to spread additional malware to the victim computers, such as LPEClient and credential dumping applications. The tool allows in extracting victim data as well as downloading additional payloads from a remote server for activation in memory.

As previously stated by the experts, it now uses advanced tactics to improve secrecy while preventing detection, such as deactivating user-mode syscall hooking and restoring system library memory parts.

Read more »
North Korean Hackers
cryptocurrency Cyber Attacks CyberCrime Cybersecurity lazarus North Korean Hackers

North Korean Hacker Linked to Tornado Cash Laundering

 


After authorities banned the Russian-founded cryptocurrency platform Tornado Cash over its alleged support for North Korean hackers a year ago, it has been announced that two co-founders of the cryptocurrency mixer have been charged with money laundering and other crimes. 

According to the US Justice Department, Roman Semenov and Roman Storm have been charged with conspiring to commit money laundering, conspiring to violate sanctions, and conspiring to operate an unlicensed money-transmitting business. According to a statement issued on Friday. Semenov is expected to appear in court shortly. 

It has been announced that US law enforcement officials have charged Tornado Cash's founders with laundering more than $1 billion in criminal proceeds during their operations. There were also allegations of Roman Semenov and Roman Storm taking part in a scheme to launder millions of dollars for the Lazarus Group, a cybercrime organization with connections to the North Korean government, according to a statement made by the US Department of Justice. Storm has been arrested in the state of Washington, while Semenov continues to remain on the run from authorities. 

According to the indictment published yesterday, the defendants were charged with conspiring to launder money, conspiring to violate sanctions, and conspiring to operate an unlicensed money transfer business by committing these crimes. Semenov, a native of Russia, remains at large, according to a statement released by the Justice Department Wednesday regarding Storm's arrest in Washington State. 

As a consequence, programming experts have been using the open-source code of Tornado Cash to develop new applications that are similar to it. Tornado Cash is a blockchain-based application, or "smart contracts", that has been designed specifically for use with Ethereum and can still be used with that platform. 

Although smart contracts in the U.S. are technically illegal, many apps that interact with the Ethereum blockchain have blocked access to the Tornado Cash app due to sanctions put in place by the United States government. Key blockchain infrastructure providers like Infura and Alchemy – which is used by many of these apps – have censored Tornado Cash as a result of this ban. 

Tornado Cash is being described as a "money transfer service for illicit purposes" according to the indictment that was filed by the Department of Justice on Wednesday. However, Storm and Semenov knew their service would be used for illicit purposes when they designed it. Furthermore, the US Department of Justice alleged they maintained control over Tornado Cash, which was a tool that they could have used to monitor transactions or to implement other anti-money laundering features, despite publishing official statements that they had no control over Tornado Cash. 

In addition to the indictment mentioning Alexey Pertsev, another co-founder of the organization, many references are made to Pertsev who was arrested last year and is currently awaiting trial for money laundering charges in the Netherlands. 

To make sure deposits and withdrawals were tracked, the three founders decided to create an option to use this compliance tool, which was opt-in only. As the DOJ alleges, neither anti-money laundering nor know-your-customer information was collected by the tool, which they claim was not sufficient for their use. 

An association with Lazarus


Semenov and Storm are also accused in the indictment of laundering the proceeds of the Lazarus Group. They appear to have been laundering the money as well. 

A rogue nation has consistently targeted cryptocurrency businesses, healthcare providers, and IT vendors as part of its effort to accrue foreign currency through the sale of its goods and services in recent years.  

A group of people who are connected to Tornado Cash claim that hundreds of millions of dollars were laundered by Tornado Cash between April and May 2022 for Lazarus. A change was implemented in the Coin Mixer's services during this period according to Storm and Semenov's indictment, to show the public that they complied with sanctions by announcing that the Coin Mixer's services had been updated. In private chats, however, the pair agreed that although these changes could be made to Tornado Cash, they would not be able to prevent money laundering from occurring. 

Both Storm and Semenov have been charged with conspiring to commit money laundering, as well as conspiring to violate the International Economic Emergency Powers Act, both of which carry a maximum sentence of 20 years in prison if found guilty. The judgments against them carry a maximum sentence of 20 years in prison if found guilty. A criminal charge of conspiracy to operate an unlicensed money transfer business, which carries a maximum prison sentence of five years, has also been filed against the couple.     

During a written statement released by her lawyer, Brian Klein, a partner at Waymaker LLP, Storm's lawyer, expressed her frustration at the indictment and expressed her frustration at the charge. A new legal theory with dangerous implications for all software developers, Klein wrote in a letter to the Editor of the New York Times, supports the Justice Department's arrest of his client. 

The prosecution's investigation into Mr. Storm has been ongoing since last year, and he has been cooperating with that investigation for the past year, denying any involvement in the criminal case. In the course of the trial, a lot more information will also come out regarding this case.   
Read more »
Subscribe to: Posts (Atom)