A new report shows that North Korea-linked Lazarus Group has adapted and evolved new techniques since initial attacks, and are using phony trading platforms linking to Telegram channels which distribute malware, as well as making their malware more stealthy by “adding an authentication mechanism in the macOS,” amongst other tactics. Since the group’s infamous previous campaign, ‘Operation Applejeus,’ victims have continued to lose bitcoin to the scams, and the report helps identify ways users can avoid falling prey to the traps.
Operation Applejeus, the Sequel
A new report from cybersecurity group Kaspersky reveals that infamous hacker group Lazarus, said to be linked to the Pyongyang region of North Korea and purportedly responsible for over $570 million in exchange hacks over recent years, has evolved its methods. Using phony exchange sites, Telegram groups, “homemade macOS malware” and “a multi-stage infection procedure,” the group ropes in unsuspecting victims, takes control as in the first Applejeus, but now relieves them of their bitcoins in more complex fashion.
The report details: “While tracking this campaign, we identified more heavily deformed macOS malware. At the time, the attacker called their fake website and application JMTTrading. Other researchers and security vendors found it too, and published IoCs with abundant technical details.”
Methodology and How to Stay Safe
While many of the detected scam sites and Telegram groups appear to now be inactive, Kaspersky notes: “We were able to identify several victims in this Operation AppleJeus sequel. Victims were recorded in the UK, Poland, Russia and China. Moreover, we were able to confirm that several of the victims are linked to cryptocurrency business entities.
We speculate that the actor used free web templates like this to build their fake websites. Moreover, there is a Telegram address(@cyptian) on the Cyptian website. As we mentioned previously, the actor delivered a manipulated application via Telegram messenger.
In some instances Kaspersky suspects that malware was delivered via a Telegram group connected to a fake website. In others, links on fake sites are thought to be the avenue by which the now adapted and more complex Mac and Windows bugs enter a system. The updated means of attack appears to utilize multiple payloads in highly customized protocols designed carefully to evade detection.
“To attack macOS users, the Lazarus group has developed homemade macOS malware, and added an authentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without touching the disk,” the report details.
“In addition, to attack Windows users, they have elaborated a multi-stage infection procedure, and significantly changed the final payload. We assess that the Lazarus group has been more careful in its attacks following the release of Operation AppleJeus and they have employed a number of methods to avoid being detected.”
Though these scam sites have been discovered, many more undoubtedly exist and users would do well to take precaution whenever dealing with a new group. As always in the crypto space: don’t trust, verify. If a website or Telegram group seems suspicious and has a strange url, a number of non-functional links, spelling errors, etc, it’s best not to trust it and of course never to download anything before doing further research.
What are your thoughts on Lazarus and the connected scams? Let us know in the comments section below.
Image credits: Shutterstock, fair use.
Want to create your own secure cold storage paper wallet? Check our tools section. You can also enjoy the easiest way to buy Bitcoin online with us. Download your free Bitcoin wallet and head to our Purchase Bitcoin page where you can buy BCH and BTC securely.
Purchase Bitcoin without visiting a cryptocurrency exchange. Buy BTC and BCH here.