North Korean Hackers Launch New Scheme
In the world of crypto hacks and scams, the Lazarus group are quite infamous. Believed to be sponsored by the North Korean government, this group is tied to the theft of hundreds of millions of dollars in cryptocurrency. These funds, in turn, are believed to be used to fund the county’s nuclear weapons program.
Well, it seems the group has not let up over the years as it is now being linked to a new hacking scheme. This scheme, according to Washington D.C.-based cybersecurity firm Volexity, involves the use of malware on crypto sites to steal both money and information from third parties.
The Lazarus Group Strikes Again
The method of choice for the groups seems to be getting unsuspecting victims to download variations of the AppleJeus malware. How the group got users to do this was by registering the site bloxholder[.]com and then cloning a legitimate website for crypto trading.
When users log into the website, they are prompted to download a Microsoft Installation (MSI) file which, unknown to them, has the infamous AppleJeus malware within it. While this method of tricking users into installing malware is fairly common in the industry (and has been used by the Lazarus group in the past), this new scheme has a twist to it.
According to the report by Volexity, the program is designed to complete a function called ‘Chained DLL side-loading’
“It is not clear why the threat actor added this additional step. It could cause some confusion and slow down malware analysis, but ultimately the location of the files are still the same as using the conventional method,” the report says.
Furthermore, the company found that the Lazarus Group made a slight departure from the use of an MSI file to trick victims and then moved on to a Microsoft Word document called OKX Binance & Huobi VIP fee comparision.xls. This document shows the different trading fees for various crypto and exchanges and overall, looks legitimate.
But it is not. Within the document, there are ‘macros’ which are used to fully deploy the malware on the victim’s computer. To mitigate these, Volexity has recommended that users block the automatic deployment of macros within the documents they download.
What Can Consumers Do?
The report concluded by re-stating that the Lazarus Group has not slowed down its activities but only continues to make its methods more sophisticated to avoid detection.
“The Lazarus Group continues its effort to target cryptocurrency users, despite ongoing attention to their campaigns and tactics. Perhaps in an attempt to allude detection, they have decided to use chained DLL side-loading to load their payload. Additionally, Volexity has not previously noted the use of Microsoft Office documents to deploy AppleJeus variants. Despite these changes, their targets remain the same, with the cryptocurrency industry being a focus as a means for the DPRK to bolster their finances,” it said.
Luckily, crypto users were given some tips to avoid falling victim such as blocking macro execution in Microsoft Office, motoring activities on their computers, and blocking specific. IOCs