Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label lazarus. Show all posts
TraderTraitor
Bitcoin Cyber Attacks CyberCrime Cybersecurity CyberThreat DMM FBI Ginco lazarus TraderTraitor

Bitcoin Heist in Japan Attributed to North Korean Cybercriminals

 


A joint alert from the FBI, the Department of Defense (D.O.D.) Cyber Crime Center and the National Police Agency of Japan reveal that a North Korean threat group carried out a significant cryptocurrency theft from Japan's crypto firm DMM in May 2024. The group, referred to as TraderTraitor—also known as Jade Sleet, UNC4899, and Slow Pisces — is believed to be linked to the Lazarus Group, a notorious hacking collective with ties to Pyongyang authorities.

The Lazarus Group, infamous for high-profile cyberattacks, gained notoriety for hacking Sony Pictures in retaliation for the 2009 film The Interview, which mocked North Korean leader Kim Jong Un. Their recent activities, however, focus on cryptocurrency theft, leveraging advanced social engineering techniques and malicious code.

Social Engineering and the Ginco Incident

In late March 2024, a TraderTraitor operative posing as a recruiter contacted an employee of Ginco, a Japanese cryptocurrency wallet software company, via LinkedIn. Disguised as part of a pre-employment process, the operative sent a malicious Python script under the guise of a coding test. The employee unknowingly uploaded the script to their GitHub account, granting the attackers access to session cookie information and Ginco’s wallet management system.

The attackers intercepted legitimate transaction requests from DMM employees by maintaining this access. This led to the theft of over 4,500 bitcoins, valued at $308 million. The funds were traced to accounts managed by the TraderTraitor group, which utilized mixing and bridging services to obfuscate the stolen assets.

North Korea's Financial Strategy and Cryptocurrency Exploitation

With international sanctions severely restricting North Korea's access to global financial systems, the regime increasingly relies on cybercrime and cryptocurrency theft for revenue generation. Due to their decentralized and pseudonymous nature, cryptocurrency presents a lucrative target for laundering stolen funds and bypassing traditional banking systems.

Chainalysis Findings

Blockchain intelligence firm Chainalysis attributed the DMM Bitcoin hack to North Korean actors. The attackers exploited weaknesses in the platform's infrastructure to perform unauthorized withdrawals. The stolen cryptocurrency was routed through multiple intermediary addresses and processed via the Bitcoin CoinJoin mixing service to conceal its origins. Portions of the funds were further transferred through various bridge services before being channelled to HuiOne Guarantee, a website linked to the Cambodian conglomerate HuiOne Group, a known facilitator of cybercrime.

Additional Findings by AhnLab Security Intelligence Center

The AhnLab Security Intelligence Center (ASEC) has reported another North Korean threat actor, Andariel — part of the Lazarus Group — deploying a backdoor known as SmallTiger. This tool has been used in campaigns parallel to those executed by TraderTraitor, highlighting the group's continued evolution in cybercrime tactics.

The coordinated alert from international agencies underscores the urgent need for enhanced cybersecurity measures within the cryptocurrency industry to counter sophisticated threats like those posed by the Lazarus Group and its affiliates.


Read more »
Web3
Bitcoin Crypto Currency ETF Ether lazarus North Korea Web3

North Korean Hackers Attacking Crypto Industry, Billions at Risk

North Korean Hackers Attacking Crypto Industry, Billions at Risk

The United States Federal Bureau of Investigation (FBI) has recently highlighted a significant cybersecurity threat posed by North Korean cybercriminals targeting the web3 and cryptocurrency sectors. 

Why Hackers Target ETFs?

The cryptocurrency industry has witnessed tremendous growth, Ether and Bitcoin are game changers. The rise has led to financial instruments like ETFs (Exchange-traded funds) that allow investors access without owning them directly. But, with the increase of crypto technologies, security questions have also surfaced. 

The United States FBI recently warned about a major cybersecurity threat from North Korean hackers targeting cryptocurrency and web3 sectors. Billions of dollars go into these crypto ETFs, but investors shouldn’t be hasty to think their assets are secure. 

Lazarus Behind Attacks

Lazarus (a North Korean state-sponsored group) is no stranger to the cryptocurrency market and is allegedly responsible for various attacks against famous exchanges and blockchain protocols. Officials are concerned about hackers attacking crypto-backed ETFs by targeting the underlying assets. 

North Korean hackers are using advanced engineering methods to fool employees at decentralized finance (DeFi) and cryptocurrency firms. The hackers impersonate high-profile figures within an organization and or make specific scenarios based on the target’s position, business interests, or skills to get in their good books. 

“The actors may also impersonate recruiting firms or technology companies backed by professional websites designed to make the fake entities appear legitimate. Examples of fake North Korean websites can be found in affidavits to seize 17 North Korean domains, as announced by the Department of Justice in October 2023,” the FBI warned.

The FBI Warning

The FBI has warned against storing private cryptocurrency wallet data on web-connected devices as they may be victims of hacking attacks. If these requests come from unfamiliar sources, organizations should be careful when using non-standard software or applications on their network.

North Korean hackers have already stolen sensitive data from Bitcoin companies by using fake job ads. The FBI’s warning is a wake-up call for web3 and cryptocurrency firms to advance their cybersecurity systems and be careful against these rising attacks. 

“The actors usually attempt to initiate prolonged conversations with prospective victims to build rapport and deliver malware in situations that may appear natural and non-alerting. If successful in establishing bidirectional contact, the initial actor, or another member of the actor’s team, may spend considerable time engaging with the victim to increase the sense of legitimacy and engender familiarity and trust,” the FBI reports.

Read more »
zero Day vulnerability
APTs Citrine Sleet CyberCrime Cybersecurity CyberThreat FudModule Rootkit Googlex Chrome lazarus Microsoft ransomware attacks Vulnerabilites and Exploits zero Day vulnerability

Citrine Sleet APT Exploits Chrome Zero-Day Vulnerability for Rootkit Infiltration

 


It is believed that North Korean hackers have been able to use unpatched zero-day in Google Chrome (CVE-2024-7971) to install a rootkit called FudModule after gaining admin privileges by exploiting a kernel vulnerability in Microsoft Windows. An investigation by Microsoft has revealed that a North Korean threat actor exploited a zero-day vulnerability in the Chromium browser that has been tracked as CVE-2024-7971 to conduct a sophisticated cyber operation.  

According to the report, Citrine Sleet, the notorious group behind the attack that targets cryptography sectors in particular, is responsible for the attack. It has been reported that CVE-2024-7971 is a type of confusion vulnerability in the V8 JavaScript and WebAssembly engine that had been impacted in versions of Chrome before 128.0.6613.84. By exploiting this vulnerability, threat actors could gain remote code execution (RCE) access to the sandboxed Chromium renderer process and conduct a remote attack. 

There was a vulnerability that was fixed by Google on August 21, 2024, and users should ensure that they are running the most recent version of Chrome. It is clear from this development that the nation-state adversary is trying to increase its penetration of Windows zero-day exploits in recent months, indicating that they are persistent in their efforts to acquire and introduce oodles of zero-day exploits. 

A Microsoft security researcher found evidence that Citrine Sleet (formerly DEV-0139 and DEV-1222) was responsible for the activity. Citrine Sleet is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736, all of which are associated with Citrine Sleet. There is an assessment that this sub-cluster is part of the Lazarus Group (a.k.a. Diamond Sleet and Hidden Cobra) which is related to Lazarus. 

Several analysts have previously credited the use of AppleJeus malware to a Lazarus subgroup called BlueNoroff (also known as APT38, Nickel Gladstone, and Stardust Chollima), indicating the fact that the threat actors share both toolsets and infrastructure from one subgroup to another. Some cybersecurity vendors maintain track of this North Korean threat group under different names, such as AppleJeus, Labyrinth Chollima, and UNC4736, among others. 

Hidden Cobra is a term used by the U.S. government to describe malicious actors sponsored by the North Korean government collectively as being influenced by the state. It is mostly targeted at financial institutions, with a special focus on cryptocurrency organizations and individuals who are closely associated with the cryptocurrency industry. 

In the past, it has been linked to Bureau 121 of the Reconnaissance General Bureau of North Korea, where it practices intelligence gathering. Moreover, North Korean hackers are also known for using malicious websites that appear to be legitimate cryptocurrency trading platforms to infect prospective victims with fake job applications, weaponized cryptocurrency wallets, and cryptocurrency trading apps designed to steal sensitive information. 

This is the first time UNC4736 malware has been identified in a supply chain attack, for example in March 2023 it attacked the Electron-based desktop client of video conferencing software provider 3CX. Further, they were able to breach the website of Trading Technologies, an automation company for stock market trading, to sneakily push trojanized versions of the X_TRADER software into the system. In a March 2022 report, Google's Threat Analysis Group (TAG) also linked AppleJeus to the compromise of Trading Technologies' website, highlighting AppleJeus as being behind the attack. 

For years, the U.S. government has repeatedly issued warnings about state-sponsored cyberattacks targeting cryptocurrency-related businesses and individuals with AppleJeus malware that is backed by the North Korean government. As a result of the security vulnerability CVE-2024-7971 that was discovered last week, Google patched Chrome's version 8 JavaScript engine and reported it as a type confusion vulnerability. 

In a recent cybersecurity incident report, it was revealed that victims were directed to a domain controlled by the threat group Citrine Sleet, identified as voyagorclub[.]space. The exact method by which victims were lured to this domain remains undetermined, though it is suspected that social engineering tactics were employed. This is consistent with Citrine Sleet’s established modus operandi, which frequently involves manipulating individuals through social engineering to initiate attacks. 

Upon successful redirection to the malicious domain, attackers leveraged a zero-day remote code execution (RCE) vulnerability, identified as CVE-2024-7971. This vulnerability is linked to a type of confusion flaw in Chrome’s V8 JavaScript engine. Google addressed this security issue in a recent patch, highlighting that it allowed attackers to achieve RCE within the sandboxed Chromium renderer process of the victim's browser. Once inside this sandboxed environment, the attackers further escalated their access by exploiting a secondary vulnerability in the Windows kernel. 

The additional vulnerability, CVE-2024-38106, was exploited to escape the browser’s sandbox environment. This kernel vulnerability, which Microsoft had patched in their latest Patch Tuesday release, allowed attackers to gain SYSTEM-level privileges on the compromised system. Following this, the attackers downloaded and activated a highly sophisticated rootkit known as FudModule. This malware, when loaded into memory, enabled direct kernel object manipulation (DKOM), providing attackers with the capability to bypass critical kernel security measures.

The FudModule rootkit is particularly concerning, as it is designed to manipulate kernel-level processes, enabling attackers to establish persistent backdoor access to the compromised system. Through DKOM, the rootkit effectively tampers with core system functions, allowing attackers to evade detection, steal sensitive information, and potentially deploy additional malicious software. Interestingly, the FudModule rootkit has been linked to another North Korean state-sponsored group known as Diamond Sleet, which has utilized this malware since its discovery in October 2022. 

This suggests a potential collaboration between Citrine Sleet and Diamond Sleet or, at the very least, shared access to malicious tools and infrastructure. Furthermore, the rootkit bears similarities to tools used by another notorious hacking group, the Lazarus Group, indicating that FudModule may be part of a broader North Korean cyber-espionage toolkit. Citrine Sleet's attack demonstrates a highly coordinated and multi-faceted approach, beginning with social engineering techniques to lure victims to a compromised domain and culminating in the exploitation of critical vulnerabilities to gain deep control over target systems. 

By leveraging both CVE-2024-7971 and CVE-2024-38106, the attackers were able to bypass multiple layers of security, from browser sandboxing to Windows kernel defences. Microsoft has issued a series of recommendations to help organizations mitigate the risk of such attacks. They stress the importance of maintaining up-to-date software and operating systems, as timely patching is critical to closing vulnerabilities before they can be exploited. 

Additionally, Microsoft advocates for the deployment of security solutions that provide unified visibility across the entire cyberattack chain. Such tools can detect and block attacker tools and post-compromise malicious activity. Lastly, strengthening the configuration of the operating environment is recommended to minimize the likelihood of successful exploitation and post-compromise activity. This incident underscores the evolving nature of cyber threats and highlights the importance of proactive cybersecurity measures to detect, block, and mitigate advanced persistent threats (APTs).
Read more »
Unibot
Apple MacOS Cryptocurrency exchange KandyKorn KandyKorn malware lazarus Lazarus Group malware North Korean Hackers Unibot

KandyKorn: Apple MacOS Malware Targets Blockchain Engineers of Crypto Exchange Platform


A new malware linked to the North Korean threat group Lazarus was discovered on Apple’s macOS, and it appears that it was intended for the blockchain engineers of a crypto exchange platform. 

KandyKorn Malware 

According to a study conducted by Elastic Security Labs, the malware, dubbed as ‘KandyKorn’ is a sophisticated backdoor that could be used to steal data, directory listing, file upload/download, secure deletion, process termination, and command execution.

At first, the attackers used Discord channels to propagate Python-based modules by pretending to be active members of the community.

Apparently, the social engineering attacks pose as an arbitrage bot intended to generate automatic profits by coercing its members into downloading a malicious ZIP archive called “Cross=platform Bridges.zip.” However, there are 13 malicious modules that are being imported by the file to work together in order to steal and alter the stolen information. 

The report reads, “We observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS, known as execution flow hijacking.”

Users of Unibot were notified by blockchain analytics company Scopescan about an ongoing hack, which was subsequently verified by an official source:

“We experienced a token approval exploit from our new router and have paused our router to contain the issue.” Later, Unibot guaranteed that it would compensate all the victims who lost their funds in the exploit. 

Lazarus Group/ Lazarus is a North Korean state-sponsored cyber threat group, linked to the Reconnaissance General Bureau that operates out of North Korea. As part of a campaign called Operation Blockbuster by Novetta, the group, which has been operating since at least 2009, is said to have been behind the devastating wiper attack against Sony Pictures Entertainment in November 2014. The malware that Lazarus Group uses is consistent with other known campaigns, such as DarkSeoul, Operation Flame, Operation 1Mission, Operation Troy, and Ten Days of Rain.

However, in certain definitions of the North Korean group, security researchers apparently report all North Korean state-sponsored cyber activities under the term Lazarus Group instead of tracking clusters or subgroups like Andariel, APT37, APT38, and Kimsuky.

The crypto industry remains a main target for Lazarus, with a primary motivation of profit rather than espionage, which is their second primary operational focus.

The fact that KandyKorn exists proves that macOS is well within Lazarus's target range and highlights the threat group's amazing ability to create subtle and sophisticated malware specifically designed for Apple devices.  

Read more »
State Sponsored Hackers
cyber espionage lazarus malware Malware loader State Sponsored Hackers

North Korean Links: Lazarus Group Strikes Again. This time via Unpatched Software Flaws


North Korean hackers spreading malware through legit software

North Korean hackers are spreading malware by exploiting known flaws in genuine software. The Lazarus group targets a version of an undisclosed software product for which vulnerabilities have been documented and solutions are available in a new campaign discovered by Kaspersky researchers.

Despite the vulnerabilities being disclosed and patched, the new advanced persistent threat campaign attacking companies globally used known flaws in a previous version of an unnamed software to encrypt web connection via digital certificates.

Threat actors used software to gain entry points

According to Kaspersky, hackers from the Lazarus group exploited the insecure software and used it as an entry point to breach organizations and encrypt web communication using digital certificates.

North Korea uses "cyber intrusions to conduct both espionage and financial crime in order to project power and finance both their cyber and kinetic capabilities," according to research by Google's Mandiant threat intelligence department. 

UN alleges North Korean links

Under Kim Jong Un's leadership, the DPRK is linked with a variety of state-sponsored hacking teams both at home and abroad that collect espionage on allies, opponents, and defectors, as well as hack banks and steal cryptocurrency. The UN has earlier accused North Korea of using stolen assets to fund the country's long-range missile and nuclear weapons programs, as well as enticing the country's officials.

To control the victim, hackers used SIGNBT malware and the infamous LPEClient tool, which experts have seen in attacks targeting defense contractors, nuclear engineers, and the cryptocurrency sector, and which was discovered in the infamous 3CX supply chain attack. "This malware acts as the initial point of infection and plays a crucial role in profiling the victim and delivering the payload," said experts.

According to Kaspersky, the developers of the unknown software previously became a target to Lazarus. According to the report, this repeated breach indicates a determined and persistent threat actor with the likely goal of compromising important source code or interfering with the software supply chain.

A deep look into the malware

According to Kaspersky experts, in mid-July, they noticed an increasing number of attacks on many victims utilizing the prone software, and they discovered post-exploitation activity within the genuine software's processes.

To establish and maintain efforts on hacked machines, the threat actor used a variety of techniques, including the development of a file called ualapi.dll in the system folder, which is loaded by default by the spoolsv.exe process at each system boot. According to the experts, Lazarus hackers also built registry entries to run genuine files for the purpose of malicious side-loading, assuring a durable persistence mechanism.

Lazarus used that malware loader to spread additional malware to the victim computers, such as LPEClient and credential dumping applications. The tool allows in extracting victim data as well as downloading additional payloads from a remote server for activation in memory.

As previously stated by the experts, it now uses advanced tactics to improve secrecy while preventing detection, such as deactivating user-mode syscall hooking and restoring system library memory parts.

Read more »
North Korean Hackers
cryptocurrency Cyber Attacks CyberCrime Cybersecurity lazarus North Korean Hackers

North Korean Hacker Linked to Tornado Cash Laundering

 


After authorities banned the Russian-founded cryptocurrency platform Tornado Cash over its alleged support for North Korean hackers a year ago, it has been announced that two co-founders of the cryptocurrency mixer have been charged with money laundering and other crimes. 

According to the US Justice Department, Roman Semenov and Roman Storm have been charged with conspiring to commit money laundering, conspiring to violate sanctions, and conspiring to operate an unlicensed money-transmitting business. According to a statement issued on Friday. Semenov is expected to appear in court shortly. 

It has been announced that US law enforcement officials have charged Tornado Cash's founders with laundering more than $1 billion in criminal proceeds during their operations. There were also allegations of Roman Semenov and Roman Storm taking part in a scheme to launder millions of dollars for the Lazarus Group, a cybercrime organization with connections to the North Korean government, according to a statement made by the US Department of Justice. Storm has been arrested in the state of Washington, while Semenov continues to remain on the run from authorities. 

According to the indictment published yesterday, the defendants were charged with conspiring to launder money, conspiring to violate sanctions, and conspiring to operate an unlicensed money transfer business by committing these crimes. Semenov, a native of Russia, remains at large, according to a statement released by the Justice Department Wednesday regarding Storm's arrest in Washington State. 

As a consequence, programming experts have been using the open-source code of Tornado Cash to develop new applications that are similar to it. Tornado Cash is a blockchain-based application, or "smart contracts", that has been designed specifically for use with Ethereum and can still be used with that platform. 

Although smart contracts in the U.S. are technically illegal, many apps that interact with the Ethereum blockchain have blocked access to the Tornado Cash app due to sanctions put in place by the United States government. Key blockchain infrastructure providers like Infura and Alchemy – which is used by many of these apps – have censored Tornado Cash as a result of this ban. 

Tornado Cash is being described as a "money transfer service for illicit purposes" according to the indictment that was filed by the Department of Justice on Wednesday. However, Storm and Semenov knew their service would be used for illicit purposes when they designed it. Furthermore, the US Department of Justice alleged they maintained control over Tornado Cash, which was a tool that they could have used to monitor transactions or to implement other anti-money laundering features, despite publishing official statements that they had no control over Tornado Cash. 

In addition to the indictment mentioning Alexey Pertsev, another co-founder of the organization, many references are made to Pertsev who was arrested last year and is currently awaiting trial for money laundering charges in the Netherlands. 

To make sure deposits and withdrawals were tracked, the three founders decided to create an option to use this compliance tool, which was opt-in only. As the DOJ alleges, neither anti-money laundering nor know-your-customer information was collected by the tool, which they claim was not sufficient for their use. 

An association with Lazarus


Semenov and Storm are also accused in the indictment of laundering the proceeds of the Lazarus Group. They appear to have been laundering the money as well. 

A rogue nation has consistently targeted cryptocurrency businesses, healthcare providers, and IT vendors as part of its effort to accrue foreign currency through the sale of its goods and services in recent years.  

A group of people who are connected to Tornado Cash claim that hundreds of millions of dollars were laundered by Tornado Cash between April and May 2022 for Lazarus. A change was implemented in the Coin Mixer's services during this period according to Storm and Semenov's indictment, to show the public that they complied with sanctions by announcing that the Coin Mixer's services had been updated. In private chats, however, the pair agreed that although these changes could be made to Tornado Cash, they would not be able to prevent money laundering from occurring. 

Both Storm and Semenov have been charged with conspiring to commit money laundering, as well as conspiring to violate the International Economic Emergency Powers Act, both of which carry a maximum sentence of 20 years in prison if found guilty. The judgments against them carry a maximum sentence of 20 years in prison if found guilty. A criminal charge of conspiracy to operate an unlicensed money transfer business, which carries a maximum prison sentence of five years, has also been filed against the couple.     

During a written statement released by her lawyer, Brian Klein, a partner at Waymaker LLP, Storm's lawyer, expressed her frustration at the indictment and expressed her frustration at the charge. A new legal theory with dangerous implications for all software developers, Klein wrote in a letter to the Editor of the New York Times, supports the Justice Department's arrest of his client. 

The prosecution's investigation into Mr. Storm has been ongoing since last year, and he has been cooperating with that investigation for the past year, denying any involvement in the criminal case. In the course of the trial, a lot more information will also come out regarding this case.   
Read more »
ScarCruft
Data Breach Data Stolen lazarus Mashinostroyeniya Data Breach Missile Program North Korea Hackers NPO Mash ScarCruft

North Korean Hackers Breach Russia’s Top Missile Maker’s Data


Reuters reported on Tuesday about a North Korea-based elite hacker group that is in a bid to steal technology by covertly breaching the computer networks of a Russian missile developer giant. Apparently, the hackers have been running the campaign for nearly five months in 2022. 

The North Korean cyberespionage group has targeted Mashinostroyeniya, a rocket design based in Reutov, Moscow. The hackers group, code-named ScarCruft and Lazarus installed covert digital backdoors into the system at NPO Mashinostroyeniya and was located by Reuters’ James Pearson and Christopher Bing.

However, it has not been made clear as to what data was acquired in the breach. In the following month, the digital break-in Pyongyang introduced several new developments in its banned ballistic missile program, while is not clear if this was in any regards to the breach.

Moreover, no official confirmation has been provided of the espionage by NPO Mashinostroyeniya officials.

About the Targeted Company

The company, commonly known as NPO Mash, specialized in developing hypersonic missiles, satellite technologies and new-generation ballistic armaments. The company was prominent in the Cold War as a premier satellite maker for Russia's space program and as a provider of cruise missiles.

According to experts, the hackers garnered interest in the company after it underlined its mission to develop an Intercontinental Ballistic Missile (ICBM), capable of bringing catastrophe to the mainland United States.

Apparently, the hackers acquired access to the company’s documents and leaked them between 2021, and May 2022. Following this, the IT engineers detected the cybercrime activities, the news agency reported. 

Hackers Read Email Traffic, Jumped Between Networks and Extracted Data from the Company 

According to Tom Hegel, a security researcher with U.S. cybersecurity firm SentinelOne, following the hack, the hackers gained access to the company’s IT environment, which enabled them to read email traffic, jump between networks, and extract data. "These findings provide rare insight into the clandestine cyber operations that traditionally remain concealed from public scrutiny or are simply never caught by such victims," Hegel said.

Digging further into the findings, Hegel’s team of security analysts discovered that one of the NPO Mash IT employees unintentionally exposed his company's internal communications while attempting to investigate the North Korean attack by uploading evidence to a secret portal used by cybersecurity researchers worldwide.

Experts speculate that the data stolen by the hacker group is of great importance, however, it will take a lot more information, effort and expertise for them to actually develop a missile. 

"That's movie stuff[…]Getting plans won't help you much in building these things, there is a lot more to it than some drawings," Hegel further added.

Read more »
Technology
Cyber Victim Cyberattacks Cybersecurity GitHub lazarus Malicious Threat NPM Package Technology

GitHub Issues Alert on Lazarus Group's Social Engineering Attack on Developers

 


According to a security alert issued by GitHub, this social engineering campaign is designed to compromise developers' accounts in the blockchain, cryptocurrency, online gambling, and cybersecurity industries. This is done through social engineering techniques. 

The campaign was reportedly linked to the Lazarus hacking group sponsored by the North Korean state. It was also linked to the groups Jade Sleet and TraderTraitor (both tools of Microsoft Threat Intelligence). There was a report released by the United States government in 2022 which detailed threat actors' tactics. 

Hacking group targets cryptocurrency companies and cybersecurity researchers to eavesdrop on them and steal their coins. The Lazarus Group is a cybercrime organization that targets cryptocurrency companies and cyber researchers using various names, such as Jade Sleet and TraderTraitor. Cyberespionage and cryptocurrency theft are two of the group's activities. According to GitHub, no GitHub accounts were compromised in this campaign, nor were any npm systems accounts.  

Lazarus Group reportedly uses legitimate GitHub or social media accounts that have been compromised or fake personas to pose as developers or recruiters on the platforms where they operate. This includes GitHub or social media. There is a wide range of personas designed to engage individuals in targeted industries. Ultimately, these personas will lead individuals to another platform, such as WhatsApp, through conversation. 

It is normally threat actors who initiate collaboration on a project. They invite targets to clone a GitHub repository related to media players and cryptocurrency trading tools after establishing trust between them. There are, however, malicious NPM dependencies on these projects that can download additional malware onto the devices of their targets. 

In June 2022, Phylum published a report on NPM packages that have been based on malicious code, with details about how they behave despite GitHub not providing details about the malware's specific behavior. Phylum reports that these packages function as malware downloaders that connect to remote websites via a browser. The download of additional payloads onto the infected machine. Several limitations in the payload reception process meant that researchers were unable to analyze the final malware delivered. 

As a consequence of this campaign, all NPM accounts and GitHub accounts associated with it have been suspended by GitHub. Additionally, they have published a list of indicators that can be used to identify whether a campaign is successful, including domains, GitHub accounts, and NPM packages. GitHub says the campaign was not intended to damage their systems. 

Lazarus has run previous social engineering campaigns similar to this one in the past. A few of these attacks included the targeting of security researchers in January 2021, a fake company website that was created in March 2021, and a fake email campaign in July 2021. As a result of these attacks, threat actors were effective at creating elaborate personas and distributing malware disguised as exploits for vulnerabilities. 

Lazarus is a group that targets cryptocurrency companies and developers to fund initiatives for the North Korean government. Several million dollars worth of cryptocurrency was stolen from them due to their involvement in the crime. It is worth noting that the theft of over 617 million dollars worth of Ethereum and USDC tokens was reported in an attack recently on Axie Infinity. 

Aside from fund theft and phishing scams, Lazarus has allegedly employed other tactics as well, including sending malicious PDF files disguised as job offers to targets that could compromise their bank accounts. In this case, the group has successfully delivered malware using false employment opportunities as a method of delivering their malware. 

Those in the target industries and developers should remain vigilant against the various types of social engineering attacks that are out there. Generally, individuals can protect themselves and their devices from malicious software and potentially compromised devices if they are aware of the tactics used by threat actors and adopt good cybersecurity practices, such as verifying the authenticity of requests and avoiding links and downloads that appear suspicious or unknown. 

Attack Process by the Lazarus Group


To begin with, the threat actor claims to be a developer or recruiter. He poses as them on GitHub and other social media websites related to the developer or recruiter niche. For contacting victims, they use their accounts as well as compromised accounts by Jade Sleet exploited by the group. 

There may be instances when the actor initiates contact on one platform and switches to another platform after a few minutes. When a threat actor connects with a victim he or she invites the victim to collaborate on a GitHub repository and uses the target as a means of cloning and executing the contents of the repository. The attacker may send the malicious software directly through a messaging service or file-sharing service, without inviting people to the repository and cloning it, in some cases. 

A malicious npm dependency has been included in the GitHub repository for the software. In addition to media players, the threat actor uses tools for selling cryptocurrencies in some of the software he builds. In addition to the malicious npm packages, these malicious npm packages also download secondary malware onto the victim's machine. A malicious package will normally not be published until a fake repository invitation is sent to you by an unknown threat actor.  

IOC details have been shared on the GitHub blog along with the suspension of npm and GitHub accounts associated with the campaign. As a practice, the most effective method of avoiding this campaign is to be cautious of social media solicitations for collaboration on or the installation of software that relies on NPM packages or dependencies. 

Lazarus Attacks in The Past 


Cryptocurrency companies and developers have been the target of North Korean hackers for a long time to steal assets needed to fund their country's initiatives. To steal cryptocurrency wallets and funds, Lazarus spreads Trojanized cryptocurrency wallets and exchange apps to target cryptocurrency users. 

It has been revealed that the U.S. Secret Service and the FBI have linked the Lazarus group to the theft of USDC and Ethereum tokens worth over $617 million from the blockchain-based game Axie Infinity by members of the Lazarus group. A malicious laced PDF file was later revealed to have been sent to one of the blockchain engineers by the threat actors, claiming to be a lucrative job offer disguised as a malicious PDF file. In this case, the attack was a result of this. 

Additionally, in 2020, a campaign called "Operation Dream Job" was used to deliver malware to employees at prominent aerospace and defense companies in the US through fake employment opportunities used to spread malware to them.
Read more »
Subscribe to: Posts (Atom)