Kaspersky Lab: Lazarus Group May be Targeting More Crypto Firms

Cybercrime is a longstanding criminal attack that has been plaguing several organizations, institutions, and government agencies across the globe. Tons of cash has been dedicated to fighting off this societal menace eating deep into the global economy. Alas, as more technologies and solutions are being deployed into this fight, the modes and types of cybercrime keep evolving and/or adapting to the changes.

Due to this singular factor, fighting off the bad guys seems rather impossible to both private and government agencies. However, large and medium organizations – which seem to be the most targeted organizations – have adopted some security measures to protect themselves against the ‘bad guys.’

While these security measures have proven to be at least somewhat effective over the past decade, it is crucial to note that some of the old dogs are still around and this time with new tricks. One of such ‘old dogs with new tricks’ is the Lazarus APT group. Recent research by the Kaspersky Lab shows that the Lazarus group is, in fact, still targeting crypto ventures. The notorious criminal group has already gained a reputation for defrauding crypto firms through its smart schemes.

The findings of the research show that the group is very much active and may be targeting Korea-based crypto firms. The team arrived at this conclusion after a careful investigation of their past attacks and most recent attacks. Upon investigation, they discovered some recurring traits in each of their attacks as well as some documents which were written in Korean language. In addition, their Windows malware samples are delivered via infected Korean HWP – an acronym for Hangul Word Processor developed in South Korea.

Although they modify the attacks from time to time, the researchers found that some traits such as the method of communication, hosting server, export function, internal name, network communication, and backdoor functions all have something in common.

It will be recalled that this group applies smart methods in their operations. They are known to send documents with eye-catching titles that would leave anyone thirsty for the content. Curiosity helps them get potential victims to open the document, which contains the malware. The malware is designed to collect basic information from the host as well as download & upload files, execute system shell command, set sleep time, check malware status, update its configuration and exit when necessary. Also, they build redundancy to ensure some malware is reserved in the system even after being detected.

These smart moves make it almost impossible to tell if your system is infected or not. Another smart move by the group is to create legitimate-looking servers. Findings of the research show that they even disguise their server script name as WordPress files and other popular open source projects.

Furthermore, it is crucial to note that the group now targets both Windows and MacOS. Therefore, crypto firms are advised to be mindful of the files they open and programs they run in their system. You could use a different system to open documents or apps from new or suspicious sources.

What do you think about the article?

Sharing Is Caring: