Hacker Group Lazarus Continues to Attack, Now on Telegram

The North Korean hacker group Lazarus, with which many cyber attacks have been associated in recent years, including against users of cryptocurrencies and exchanges, continues to attack the cryptocurrency business with enhanced capabilities, Kaspersky Lab experts report.

This time, the attackers have significantly changed the attack methodology, but cryptocurrencies are still the main area of ​​their interest. They registered a nonexistent company to deliver malicious files to macOS users, and added an authentication mechanism that allows them to transfer data cautiously in the next step, and also learned how to load in memory without accessing the device’s disk. In addition, data downloaders for Windows have undergone significant processing.

One example of such malware is UnionCryptoTrader, which comes as a trading platform for smart cryptocurrency arbitrage, but actually steals user confidential data.

Image: Securelist.com

Analysts say that to spread their malware, hackers are increasingly resorting to the help of the Telegram messenger, a favorite means of communication between cryptocurrency traders.

Several fake ICO sites and trading platforms were discovered that contained links to malicious groups on Telegram.

Image: Securelist.com

Image: Securelist.com

Among the victims of the attack, dubbed the “Operation AppleJeus Sequel” as a continuation of the “Operation AppleJeus” in 2018, Kaspersky Lab identifies residents of the UK, Poland, Russia and China.

Image: Securelist.com

“We can observe that since the initial appearance of ‘Operation AppleJeus’, the authors have significantly changed their style. We assume that these types of attacks on the cryptocurrency business will continue and will become more thoughtful,” analysts added.

Earlier, the UN said that North Korea gained about $2 billion from hacking cryptocurrency exchanges and banks in order to finance its nuclear program.

Author: Marko Vidrih

Featured image credit: Pixabay