Federal authorities in the United States have effectively confiscated the Sinbad crypto mixer, a tool purportedly used by North Korean hackers from the Lazarus organization, in a key action against cybercriminal activities. The operation, which focused on the Lazarus group's illegal financial operations, is an important development in the continuous international effort to tackle cyber threats.
The Lazarus organization, a state-sponsored hacker outfit renowned for coordinating high-profile cyberattacks, is connected to North Korea, which is how the Sinbad cryptocurrency mixer got its reputation. A crucial component of this operation was reportedly played by the U.S. Department of Treasury.
The WannaCry ransomware assault in 2017 and the notorious Sony Pictures hack from 2014 are only two of the cybercrimes the Lazarus organization has been connected to. These occurrences highlight the group's advanced capabilities and possible threat to international cybersecurity.
According to a study conducted by Elastic Security Labs, the malware, dubbed as ‘KandyKorn’ is a sophisticated backdoor that could be used to steal data, directory listing, file upload/download, secure deletion, process termination, and command execution.
At first, the attackers used Discord channels to propagate Python-based modules by pretending to be active members of the community.
Apparently, the social engineering attacks pose as an arbitrage bot intended to generate automatic profits by coercing its members into downloading a malicious ZIP archive called “Cross=platform Bridges.zip.” However, there are 13 malicious modules that are being imported by the file to work together in order to steal and alter the stolen information.
The report reads, “We observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS, known as execution flow hijacking.”
Users of Unibot were notified by blockchain analytics company Scopescan about an ongoing hack, which was subsequently verified by an official source:
“We experienced a token approval exploit from our new router and have paused our router to contain the issue.” Later, Unibot guaranteed that it would compensate all the victims who lost their funds in the exploit.
Lazarus Group/ Lazarus is a North Korean state-sponsored cyber threat group, linked to the Reconnaissance General Bureau that operates out of North Korea. As part of a campaign called Operation Blockbuster by Novetta, the group, which has been operating since at least 2009, is said to have been behind the devastating wiper attack against Sony Pictures Entertainment in November 2014. The malware that Lazarus Group uses is consistent with other known campaigns, such as DarkSeoul, Operation Flame, Operation 1Mission, Operation Troy, and Ten Days of Rain.
However, in certain definitions of the North Korean group, security researchers apparently report all North Korean state-sponsored cyber activities under the term Lazarus Group instead of tracking clusters or subgroups like Andariel, APT37, APT38, and Kimsuky.
The crypto industry remains a main target for Lazarus, with a primary motivation of profit rather than espionage, which is their second primary operational focus.
The fact that KandyKorn exists proves that macOS is well within Lazarus's target range and highlights the threat group's amazing ability to create subtle and sophisticated malware specifically designed for Apple devices.
According to a recent blog post by Elliptic, a blockchain intelligence firm, users of Atomic Wallet may have been targeted by Lazarus, the notorious hacking group from North Korea. The post highlights that Atomic Wallet users could have potentially become victims of Lazarus.
Hacking organizations 'Lazarus' and 'APT38' supported by the North Korean government were responsible for the loss of $100 million worth of Ethereum from Harmony Horizon in June 2022.
The funds and the seizure of stolen assets were reported to the authorities. The exploiters' activities closely resembled the attempt, which was undertaken on January 13, 2023, since more than $60 million was attempted to be laundered.
The Binance chain, Bitcoin, and Ethereum transfers are made possible through Harmony's Horizon Bridge. Numerous tokens worth $100,000,000 were taken from the network on June 23, 2022.
North Korean cybercriminals were actively shifting a portion of Harmony's Horizon bridge funds during the last weekend as the price of bitcoin approached $24,000. While several cryptocurrency exchanges instantly froze certain cash, Binance CEO Changpeng Zhao (CZ) claimed that some exchanges are not helpful in fighting crime, which made it easier to convert ETH to BTC.
According to reports, the APT38 was able to convert some of the $27 million in Ethers to Bitcoin and withdraw the money from exchanges. The Lazurus group has reportedly been shifting laundered money to a number of addresses in order to mask their true identity through multiple layers.
With the use of its Horizon Bridge, Harmony can transmit data to and from the Ethereum network, Binance Chain, and Bitcoin. On June 23, a number of tokens from the network valued at roughly $100 million were taken.
After the exploit, the Tornado Cash mixer processed 85,700 Ether, which was then deposited at various addresses. The hackers began transferring about $60 million of the stolen money via the Ethereum-based anonymity protocol RAILGUN on January 13. 350 addresses have been linked to the attack through numerous exchanges in an effort to escape detection, according to research by the cryptocurrency tracking tool MistTrack.
Cryptocurrency exchanges like Binance and Huobi have alerted authorities about stolen Harmony's Horizon Bridge funds by freezing them. This demonstrates how DeFi platforms and centralized exchanges are dependent on one another.
According to internet sleuth ZachXBT, the funds were stolen from the Harmony blockchain bridge hack from last year, which led to a whopping $100 million crypto compromise. Apparently, the same hacker group utilized Tornado Cash, a now banned crypto mixer that conceals names of people involved in the transaction, in order to carry out the attack.
As per the analysis, conducted by token movements, the ETH was routed through the anonymity system Railgun before being collected in wallets and sent to three significant crypto exchanges, possibly to be exchanged for fiat currency.
ZachXBT shared details of this week’s token movements on Twitter, claiming Lazarus Group has had “a very busy weekend” moving funds.
In the follow-tweets, ZachXBT also linked to the website Chainabuse.com where he shared a list of approximately 350,000 unique wallet addresses that were involved in the Friday’s operation.
On Monday, Binanace CEO Changpeng Zhao, better known as CZ too, commented on the situation. CZ claims that the hackers used Huobi, a competing exchange, rather than Binance this time as one of their exchanges. The hacker's accounts were subsequently frozen with Binance's assistance, he says.
CZ also disclosed that 124 BTC ($2.6m) had been seized from the hackers, indicating at least some of their ETH has been converted to BTC.
“We detected Harmony One hacker fund movement. They previously tried to launder through Binance and we froze his accounts. This time he used Huobi. We assisted Huobi team to freeze his accounts. Together, 124 BTC have been recovered,” he wrote.
Although, Huobi did not comment on the matter other than retweeting an article claiming that the exchange had frozen accounts containing money connected to the hack.
According to a report from South Korea's National Intelligence Service from December of last year, North Korean hackers have stolen more than $1 billion in digital assets since 2017.
Moreover, the report claims that around $626 million, or more than half of that estimated tally, was taken in 2022. It also stated that it is suspected that the North Korean government uses the money obtained from the theft to advance Pyongyang’s nuclear weapons program.
Microsoft has identified a threat actor that has been targeting cryptocurrency investment startups. An entity that Microsoft has termed as DEV-0139 posed as a cryptocurrency investment firm on Telegram and used an Excel file deployed with malicious "well-crafted" malware to attack systems and access them remotely.
The threat is part of a trend in cyberattacks showing a high degree of sophistication. In our case, the threat actor made a fake OKX employee profile and joined Telegram groups used for facilitating communication between VIP clients and cryptocurrency exchange platforms.
In recent years, the cryptocurrency market has grown exponentially, getting the attention of investors as well as threat actors. Cybercriminals have used cryptocurrency for their attacks and campaigns, especially for ransom payment in ransomware attacks.
There has also been a rise in threat actors directly attacking organizations in the cryptocurrency industry for monetary motives. Cyberattacks targeting the cryptocurrency market come in various forms, this includes fraud, vulnerability exploitation, fake apps, and use of info stealers, threat actors use these variables to steal cryptocurrency funds.
In October, the victim was asked to join a new group and then asked to provide feedback on an Excel document that compared Binance, OKX, and Huobi VIP fee structures.
The document offered correct information and high awareness of the ground reality of crypto trading, however, it also sideloaded an infected. DLL (Dynamic Link Library) file to make a backdoor into the user's system. The victim was then told to view the .dll file while discussing the course fees.
The attack method is popular, Microsoft suggests the attacker was the same as the one running .dll files for the same reasons in June, and also behind other cyberattack instances as well. As per Microsoft, DEV-0139 is the same threat actor that cybersecurity agency Volexity associated with North Korea's state-sponsored Lazarus Group.
It uses a malware strain called AppleJeus and an MSI (Microsoft installer). The United States federal Cybersecurity and Infrastructure Security Agency reported on AppleJeus last year and Kaspersky Labs documented it in 2020.
1. Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
2. Educate end users about protecting personal and business information in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing emails and watering holes, and reporting reconnaissance attempts and other suspicious activity.
3. Educate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. Encourage end users to practice good credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to prevent malware infection and stifle propagation.
4. Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.
5. Turn on attack surface reduction rules to prevent common attack techniques observed in this threat:
The cryptocurrency market is a lucrative interest for cybercriminals. Targeted victims are identified via trusted channels to better the chance of attack. While hackers prefer targeting big organizations, smaller organizations can also become an easy target of interest.