- Group of North Korean hackers create fake cryptocurrencies websites in a scheme to steal Bitcoin.
- Hackers use Telegram groups to infect MacOS and Windows devices with malware.
The Lazarus hacker group associated with the North Korean government has developed a new modus operandi for stealing Bitcoin. The security firm Kaspersky published a report detailing the group’s operations. According to their research, the group has attacked individuals in Russia, China, the United Kingdom, Poland and financial institutions around the world.
Kaspersky Labs determined that the operation to steal cryptocurrencies known as “Operation AppleJeus Sequel” is active since 2018. The group uses various methods to attract victims and infect their computers with malware that modifies the software structure of affected computers. In addition, hackers use Telegram channels to spread malicious malware.
Modus Operandi of the Lazarus group: undetected theft of Bitcoin
“Operation AppleJeus Sequel” is a continuation of a previous operation launched by the Lazarus group in 2018. At that time, Kaspersky determined that hackers had found a method to infect macOS computers. The group was taking advantage of the trust that users have in their computers and their operating system. Since then, the group has developed a new method of attack that consists in creating a whole fake infrastructure within the Bitcoin theft scheme.
The attack occurs in multiple stages. It involves the creation of fake web pages, companies and platforms, and the development of homemade malware specifically to attack macOS and Windows users. The first stage of the attack begins on the referred fake websites and platforms. Kaspersky Labs managed to find some of these websites still active as cyptian and unioncrypto.
The infrastructure is the initial means by which users’ computers are exposed to malware. The report states that hackers accompany these fake media with Telegram channels that add a second stage to their modus operandi. Telegram is one of the most popular means of communication in the cryptocommunity.
Attackers take advantage of this to insert “deliberately manipulated” applications. The security firm managed to find an active channel used by the attackers. The Telegram channel was created in December 2018. This gives an idea of how old the operation is and how much time hackers have had to perfect their modus operandi.
Then, users are attacked depending on their operating system and device. For macOS users it was determined that attackers use malware manufactured specifically for these computers. Lazarus inserted an authentication mechanism into the malware that affects the system without touching the disk. Kaspersky mentions the example of a fake application called JMTTrading that uses a simple backdoor function in its execution.
Windows users are affected by a decryption mechanism that can be disguised as an updater for a specific wallet. Fortunately, the research was able to determine the name of the fake program: WFC wallet updater. In the image below Kaspersky shows the execution flow of the malware created by the Lazarus group.
Attacks to steal Bitcoin will be more sophisticated
Although the security firm’s investigation was able to determine the current modus operandi of the Lazarus group, its conclusions are pessimistic. Kaspersky claims that the change in the attackers’ modus operandi will continue and that it will become more sophisticated over time.
The ecosystem of cryptocurrencies is familiar with attacks of this nature. CNF has reported on two major attacks that have occurred in the cryptoindustry. The first was carried out on the Mt. Gox cryptoexchange and its victims are still waiting for retribution for their lost investment. Another more recent attack was carried out with the PlusToken wallet, which turned out to be a Ponzi scheme that managed to subtract more than $3 billion USD of Bitcoin and Ethereum.
However, the development of new malware and attack methods is forcing cryptousers to be more and more vigilant about these kinds of attacks. In the future it may be difficult to determine whether a website is authentic at first sight or whether it is part of a much larger theft scheme.