Lazarus Group

North Korean Lazarus Group is aiming for crypto funds by using fake names of a crypto investment company.

Microsoft and cybersecurity firm Volexity has detected the latest version of AppleJeus malware to the hackers backing Ronin exploit and several other online thefts.

Hacker’s plan analysis: Microsoft  

Microsoft stated that the threat actor had been recognized as aiming at cryptocurrency investment startups. The threat actor aims for his target with the help of the Telegrams chat group. Microsoft detected that the threat actor, DEV-0139, acted as a fake cryptocurrency investment company to gain the target’s trust. 

The aiming style of the threat actor is very rare. He also created a fake profile named OKX employees to join the Telegram chat groups. “used to facilitate communication between VIP clients and cryptocurrency exchange platforms.” Microsoft expressed in a report on December 6.

Microsoft stated, “We are […] seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads.”

This year in October, the threat actor invited targets to different chat groups to take feedback on the fee structure of several cryptocurrency exchange platforms.

Microsoft blog report says, “After gaining the target’s trust, DEV-0139 then sent a weaponized Excel file with the name OKX Binance & Huobi VIP fee comparision.xls which contained several tables about fee structures among cryptocurrency exchange companies.”

A documented file provides highly accurate data, information and awareness of the reality of crypto trading; the document aims to invisibly load a malicious. Dynamic Link Library file to create a loop door to enter into the user’s system.

The actor indirectly asked Target to open this file in between the discussion. 

This attack style is known and was already used earlier. Microsoft declared that the threat actor was the same as found earlier using .dll files with the same intention in June and is also following other previous incidents. According to Microsoft, DEV-0139 is detected to be the same actor that cybersecurity firm Volexity is related to North Korea’s state-sponsored Lazarus Group.



, ,