Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label North Korean Hackers. Show all posts
PylangGhost
Crypto Scam Infostealer malware North Korean Hackers PylangGhost

North Korean Hackers Target Crypto Professionals With Info-Stealing Malware

 

North Korean hackers are tricking crypto experts into attending elaborate phoney job interviews in order to access their data and install sophisticated malware on their devices. 

Cisco Talos disclosed earlier this week that a new Python-based remote access trojan called "PylangGhost" links malware to a North Korean hacking group dubbed "Famous Chollima," also known as "Wagemole.” "Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies," the researchers explained. 

The effort uses fake employment sites that mimic reputable businesses like Coinbase, Robinhood, and Uniswap to recruit blockchain and crypto experts in India. The scam begins with bogus recruiters guiding job seekers to skill-testing websites, where they submit personal information and answer technical questions. 

Following completion of the assessments, candidates are directed to allow camera access for a video interview, and then urged to copy and execute malicious commands masked as video driver installations. 

Dileep Kumar H V, director of Digital South Trust, told Decrypt that to combat these scams, "India must mandate cybersecurity audits for blockchain firms and monitor fake job portals.” “CERT-In should issue red alerts, while MEITY and NCIIPC must strengthen global coordination on cross-border cybercrime,” he stated, calling for “stronger legal provisions” under the IT Act and “digital awareness campaigns.” 

The recently identified PylangGhost malware has the ability to harvest session cookies and passwords from more than 80 browser extensions, including well-known crypto wallets and password managers like Metamask, 1Password, NordPass, and Phantom. The Trojan runs remote commands from command-and-control servers and gains continuous access to compromised systems. 

This most recent operation fits in with North Korea's larger trend of cybercrime with a crypto focus, which includes the infamous Lazarus Group, which has been involved in some of the biggest heists in the industry. The regime is now focussing on individual professionals to obtain intelligence and possibly infiltrate crypto organisations from within, in addition to stealing money straight from exchanges. 

With campaigns like "Contagious Interview" and "DeceptiveDevelopment," the gang has been launching hiring-based attacks since at least 2023. These attacks have targeted cryptocurrency developers on platforms like GitHub, Upwork, and CryptoJobsList.
Read more »
North Korean Hackers
BitoPro hack crypto theft 2025 Cyber Attacks Lazarus Group cyberattack North Korean Hackers

BitoPro Blames North Korea’s Lazarus Group for $11 Million Crypto Theft During Hot Wallet Update

 

Taiwanese cryptocurrency exchange BitoPro has attributed a major cyberattack that resulted in the theft of approximately $11 million in digital assets to the infamous North Korean hacking group Lazarus. The breach occurred on May 8, 2025, when attackers exploited vulnerabilities during a hot wallet system upgrade.

According to BitoPro, its internal investigation uncovered evidence linking the incident to Lazarus, citing similarities in techniques and tactics observed in previous large-scale intrusions.

“The attack methodology bears resemblance to patterns observed in multiple past international major incidents, including illicit transfers from global bank SWIFT systems and asset theft incidents from major international cryptocurrency exchanges,” reads the company’s announcement.

BitoPro, which serves primarily Taiwanese customers and offers fiat currency transactions in TWD alongside various crypto assets, has over 800,000 registered users and processes nearly $30 million in trading volume each day.

During the attack, unauthorized withdrawals were conducted from an older hot wallet across multiple blockchains, including Ethereum, Tron, Solana, and Polygon. The stolen funds were subsequently funneled through decentralized exchanges and mixing services such as Tornado Cash, ThorChain, and Wasabi Wallet to obscure their origin.

Although the breach took place in early May, BitoPro publicly acknowledged the incident only on June 2, assuring users that platform operations remained unaffected and that impacted wallets were replenished using reserves.

The subsequent investigation concluded there was no evidence of insider involvement. Instead, attackers had carried out a sophisticated social engineering campaign that compromised an employee’s device responsible for managing cloud operations. Through this infection, they hijacked AWS session tokens, effectively bypassing multi-factor authentication protections to gain access to BitoPro’s cloud infrastructure.

The hackers’ command-and-control server then issued instructions to implant malicious scripts into the hot wallet host in preparation for the heist. By carefully simulating legitimate activity, they were able to transfer assets undetected when the wallet upgrade took place.

Once BitoPro became aware of the unauthorized activity, it deactivated the hot wallet system and rotated cryptographic keys, though by that point, roughly $11 million had already been drained.

The exchange has notified relevant authorities and collaborated with external cybersecurity specialists to conduct a thorough review, which concluded on June 11.

The Lazarus Group has developed a notorious reputation for targeting cryptocurrency platforms and decentralized finance ecosystems, with previous operations including a record-setting $1.5 billion theft from Bybit.
Read more »
OtterCookie
Infostealer Malicious Campaign malware North Korean Hackers OtterCookie

North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign

 

The North Korean hackers behind the ongoing Contagious Interview campaign have been observed launching a new JavaScript malware named OtterCookie. 

The campaign includes social engineering techniques, with the hacker team frequently posing as recruiters to trick job seekers into downloading malware during an interview process. This entails sharing malware-laced files via GitHub or the official package registry, paving the way for the propagation of malware like BeaverTail and InvisibleFerret. 

Palo Alto Networks Unit 42, which first detected the activity in November 2023, is tracking the cluster as CL-STA-0240. In September 2024, Singaporean cybersecurity company Group-IB disclosed the deployment of an upgraded version of BeaverTail that employs a modular approach, delegating its information-stealing capability to a collection of Python scripts known as CivetQ. 

According to the latest findings from Japanese cybersecurity company NTT Security Holdings, the JavaScript malware that launches BeaverTail is also designed to fetch and execute OtterCookie. 

The new malware is said to have been launched in September 2024, with a new variant identified in the wild last month. OtterCookie, upon running, establishes connections with a command-and-control (C2) server using the Socket.IO JavaScript library, and awaits further instructions. It is intended to execute shell commands that facilitate data theft, including files, clipboard items, and cryptocurrency wallet keys. 

The older OtterCookie variant discovered in September is functionally identical, but with a slight implementation difference: the cryptocurrency wallet key theft capability is directly incorporated into the malware, rather than a remote shell command. The discovery indicates that attackers are actively updating their tools while leaving the infection chain mostly intact, highlighting the campaign's efficacy. 

This comes as South Korea's Ministry of Foreign Affairs (MoFA) sanctioned 15 individuals and one organisation in connection with a fraudulent IT worker program engineered by North Korea to establish a regular source of funds. These funds are funnelled to North Korea, often through data theft and other illegal means. 

Kim Ryu Song, one of the 15 sanctioned individuals, was also charged by the U.S. Department of Justice (DoJ) earlier this month for allegedly participating in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organisations.
Read more »
UNC2970
Cyber Attacks Cyber-Espionage North Korean Hackers Threat Landscape UNC2970

North Korean Hackers Target Energy and Aerospace Industries in Novel Espionage Campaign

 

As per recent findings from Mandiant, companies operating in the energy and aerospace sectors are being targeted by a cyber-espionage campaign that has connections with North Korea.

The outfit behind the campaign, dubbed UNC2970, is most likely linked to North Korea and shares similarities with another Pyongyang-backed threat actor, TEMP.Hermit. Researchers at the Google-owned cybersecurity firm discovered UNC2970's latest campaign in June 2024 and published their findings on Tuesday. 

The group was initially identified in 2021, and it has since targeted victims in the United States, United Kingdom, the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia. 

According to the research, UNC2970 hackers engage with their victims via email and WhatsApp, posing as recruiters for well-known companies. They eventually share a malware archive that claims to have a job description in PDF format.

The PDF file can only be read with a trojanized version of SumatraPDF, an actual open-source document viewer that installs a backdoor called Mistpen via the Burnbook launcher. Researchers revealed that the attackers updated the open-source code of an older version of SumatraPDF for this campaign, but that the SumatraPDF service itself was not compromised. UNC2970 uses real job description text to target victims, including those employed in critical infrastructure sectors in the United States. 

The Mistpen virus is a fork of a legitimate plugin for the Notepad++ open-source text and source code editor. The backdoor has been upgraded over time with new features, including a network connectivity check, which complicates sample analysis, researchers noted. Although Mandiant does not name the specific victims of this attack, researchers believe the hackers are targeting senior or manager-level employees. 

"This suggests the threat actor aims to gain access to sensitive and confidential information typically restricted to higher-level employees,” researchers stated. "The hackers also tailor their malicious messages to better align with the victim's profile."
Read more »
North Korean Hackers
American Firms Data Breach Data Theft EDR IT Sector North Korean Hackers

KnowBe4 Avoids Data Breach After Hiring North Korean Hacker


 

American cybersecurity firm KnowBe4 recently discovered that a new hire, brought on as a Principal Software Engineer, was actually a North Korean state actor. This individual attempted to install data-stealing malware on the company's devices, but the threat was identified and neutralised before any data breach occurred.

This incident is the testament to the persistent threat from North Korean operatives posing as IT professionals, a danger that the FBI has been warning about since 2023. North Korea has a well-organised network of IT workers who disguise their true identities to secure employment with American companies. The revenue generated by these infiltrators funds the country's weapons programs, cyber operations, and intelligence gathering.

How the Hacker Bypassed Checks

Before hiring the malicious actor, KnowBe4 conducted extensive background checks, verified references, and held four video interviews. Despite these precautions, the individual used a stolen U.S. identity and AI tools to create a fake profile picture that matched during the video calls. This deception enabled the hacker to bypass the initial vetting process.

On July 15, 2024, KnowBe4's Endpoint Detection and Response (EDR) system flagged an attempt to load malware from the Mac workstation recently issued to the new hire. The malware, designed to steal information stored in web browsers, was intended to capture any leftover credentials or data from the computer's previous user.

When confronted by KnowBe4's IT staff, the state actor initially offered excuses but soon ceased all communication.

Deceptive Hiring Practices

KnowBe4 CEO Stu Sjouwerman explained that the scheme involved tricking the company into sending the workstation to an "IT mule laptop farm" near the address provided by the fraudster. The hacker then used a VPN to connect to the device during U.S. working hours, making it seem like they were working as usual.

To prevent similar incidents, KnowBe4 advises companies to use isolated sandboxes for new hires, keeping them away from critical network areas. Additionally, firms should ensure that new employees' external devices are not used remotely and treat any inconsistencies in shipping addresses as potential red flags.

This incident at KnowBe4 zeroes in on the intricate  methods employed by North Korean hackers to infiltrate American companies. By staying vigilant and implementing robust security measures, firms can protect themselves from such threats.


Read more »
Tornado Cash
Axie Infinity cryptocurrency theft Cyber Crime decentralized mixers Horizon Bridge law enforcement actions Lazarus Group North Korean Hackers Sinbad.io Tornado Cash

Lazarus Group Hackers Resurface Utilizing Tornado Cash for Money Laundering

 

The Lazarus hacking group from North Korea is reported to have reverted to an old tactic to launder $23 million obtained during an attack in November. According to investigators at Elliptic, a blockchain research company, the funds, which were part of the $112.5 million stolen from the HTX cryptocurrency exchange, have been laundered through the Tornado Cash mixing service.

Elliptic highlighted the significance of this move, noting that Lazarus had previously switched to Sinbad.io after U.S. authorities sanctioned Tornado Cash in August 2022. However, Sinbad.io was later sanctioned in November. Elliptic observed that Lazarus Group appears to have resumed using Tornado Cash to obscure the trail of their transactions, with over $23 million laundered through approximately 60 transactions.

The researchers explained that this shift in behavior likely stems from the limited availability of large-scale mixers following law enforcement actions against services like Sinbad.io and Blender.io. Despite being sanctioned, Tornado Cash continues to operate due to its decentralized nature, making it immune to seizure and shutdown like centralized mixers.

Elliptic has been monitoring the movement of the stolen $112.5 million since HTX attributed the incident to Lazarus. The funds remained dormant until March 13 when they were observed passing through Tornado Cash, corroborated by other blockchain security firms.

North Korean hackers utilize services such as Tornado Cash and Sinbad.io to conceal the origins of their ill-gotten gains and convert them into usable currency, aiding the regime in circumventing international sanctions related to its weapons programs, as per U.S. government claims.

According to the U.S. Treasury Department, North Korean hackers have utilized Sinbad and its precursor Blender.io to launder a portion of the $100 million stolen from Atomic Wallet customers in June, as well as substantial amounts from high-profile crypto thefts like those from Axie Infinity and Horizon Bridge.

Researchers estimate that North Korean groups pilfered around $1.7 billion worth of cryptocurrency in 2022 and approximately $1 billion in 2023. The Lazarus Group, operational for over a decade, has reportedly stolen over $2 billion worth of cryptocurrency to finance North Korea's governmental activities, including its weapons programs, as stated by U.S. officials. The group itself faced U.S. sanctions in 2019.
Read more »
North Korean Hackers
Coin Mixer Crypto Crime Cyber Crime cyber theft North Korean Hackers

North Korean Hacking Outfit Lazarus Siphons $1.2M of Bitcoin From Coin Mixer

 

Lazarus Group, a notorious hacker group from North Korea, reportedly moved almost $1.2 million worth of Bitcoin (BTC) from a coin mixer to a holding wallet. This move, which is the largest transaction they have made in the last month, has blockchain analysts and cybersecurity experts talking. 

Details of recent transactions

Two transactions totaling 27.371 BTC were made to the Lazarus Group's wallet, according to blockchain analysis firm Arkham. 3.34 BTC were subsequently moved to a separate wallet that the group had previously used. The identity of the coin mixer involved in these transactions remains unknown. Coin mixers are used to conceal the trail of cryptocurrency transactions, making it difficult to track down the ownership and flow of funds.

The Lazarus Group's latest effort adds to its long history of sophisticated cyber crimes, notably involving cryptocurrency. The US Treasury Department has linked them to a $600 million bitcoin theft from the Ronin bridge, which is linked to Axie Infinity, a famous online game. 

Growing cryptocurrency reservoir

According to Arkham, the Lazarus Group's combined wallet holdings are currently worth approximately $79 million. This includes around $73 million in Bitcoin and $3.4 million in Ether. This huge wealth accumulation through illicit techniques exemplifies the group's persistent and expanding cryptocurrency operations.

Furthermore, a recent TRM Labs study discovered that North Korean-affiliated hackers, notably the Lazarus Group, were responsible for one-third of all cryptocurrency attacks and thefts in 2023. These operations apparently earned them roughly $600 million. 

Cyber attack patterns  

Multiple cybersecurity firms have carried out investigations into the Lazarus Group's operational tactics. Taylor Monahan, a Metamask developer, stated that the latest Orbit assault, which resulted in a loss of $81 million, was similar to prior Lazarus Group operations. Such patterns provide significant insights into their strategies and can assist in the development of more effective defensive measures for future attacks.

Over the last three years, the cybersecurity firm Recorded Future has attributed more than $3 billion in cryptocurrency breaches and vulnerabilities to the Lazarus Group. Their consistent and effective execution of high-profile cyber thefts highlights the advanced nature of their skills, as well as the challenges encountered in combatting such attacks.
Read more »
South Korea
Andariel Data Breach Hacker group Military Data North Korea North Korean Hackers Ransomware group South Korea

Seoul Police Reveals: North Korean Hackers Stole South Korean Anti-Aircraft Data


South Korea: Seoul police have charged Andariel, a North Korea-based hacker group for stealing critical defense secrets from South Korea’s defense companies. Allegedly, the laundering ransomware is redirected to North Korea. One of the 1.2 terabytes of data the hackers took was information on sophisticated anti-aircraft weaponry.  

According to the Seoul Metropolitan Police Agency, the hacker group utilized servers that they had rented from a domestic server rental company to hack into dozens of South Korean organizations, including defense companies. Also, the ransomware campaign acquired ransoms from a number of private sector victim firms. 

Earlier this year, the law enforcement agency and the FBI jointly conducted an investigation to determine the scope of Andariel's hacking operations. This was prompted by reports from certain South Korean corporations regarding security problems that were believed to be the result of "a decline in corporate trust." 

Andariel Hacker Group 

In an investigation regarding the origin of Andariel, it was found that it is a subgroup of the Lazarus Group. The group has stolen up to 1.2 terabytes of data from South Korean enterprises and demanded 470 million won ($357,000) in Bitcoin as ransom from three domestic and international organizations.  

According to a study conducted by Mandiant, it was revealed that Andariel is operated by the North Korean intelligence organization Reconnaissance General Bureau, which gathers intelligence for the regime's advantage by mainly targeting international enterprises, governmental organizations, defense companies, and financial services infrastructure. 

Apparently, the ransomware group is also involved in cybercrime activities to raise funds for conducting its operation, using specially designed tools like the Maui ransomware and DTrack malware to target global businesses. In February, South Korea imposed sanctions on Andariel and other hacking groups operating in North Korea for engaging in illicit cyber operations to fund the dictatorial regime's nuclear and missile development projects.  

The threat actor has used a number of domestic and foreign crypto exchanges, like Bithumb and Binance, to launder the acquired ransom. Till now, a sum of 630,000 yuan ($89,000) has been transferred to China's K Bank in Liaoning Province. The hackers proceeded to redirect the laundered money from the K Bank branch to a location close to the North Korea-China border. 

Seoul police noted that they have seized the domestic servers and virtual asset exchange used by Andariel to conduct their campaigns. Also, the owner of the account, that was used in transferring the ransom, has been detained. 

"The Security Investigation Support Department of the Seoul Metropolitan Police Agency is actively conducting joint investigations with related agencies such as the U.S. FBI regarding the overseas attacks, victims and people involved in this incident, while continuing to investigate additional cases of damage and the possibility of similar hacking attempts," the agency said.

The police have warned businesses of the threat actor and have advised them to boost their cybersecurity and update security software to the latest versions. It has also been advised to organizations to encrypt any critical data, in order to mitigate any future attack. 

Moreover, police are planning to investigate server rental companies to verify their subscribers’ identities and to ensure that the servers have not been used in any cybercrime activity.  

Read more »
USA officials
Crypto Crypto Currency Crypto Market Cryptominers cryptomixer Data Breach Lazarus Group North Korean Hackers State Sponsored Hackers USA officials

U.S. Seizes Sinbad Crypto Mixer Tied to North Korean Hackers

Federal authorities in the United States have effectively confiscated the Sinbad crypto mixer, a tool purportedly used by North Korean hackers from the Lazarus organization, in a key action against cybercriminal activities. The operation, which focused on the Lazarus group's illegal financial operations, is an important development in the continuous international effort to tackle cyber threats.

The Lazarus organization, a state-sponsored hacker outfit renowned for coordinating high-profile cyberattacks, is connected to North Korea, which is how the Sinbad cryptocurrency mixer got its reputation. A crucial component of this operation was reportedly played by the U.S. Department of Treasury.

The WannaCry ransomware assault in 2017 and the notorious Sony Pictures hack from 2014 are only two of the cybercrimes the Lazarus organization has been connected to. These occurrences highlight the group's advanced capabilities and possible threat to international cybersecurity.

The Sinbad crypto mixer, seized by U.S. authorities, was allegedly used by the Lazarus group to obfuscate and launder cryptocurrency transactions. Cryptocurrency mixers are tools designed to enhance privacy and security by mixing transactions with those of other users, making it challenging to trace the source and destination of funds. However, when used for illicit purposes, such mixers become a focal point for law enforcement.

The U.S. Department of the Treasury issued a press release on the matter, emphasizing the government's commitment to countering cyber threats and safeguarding the financial system's integrity. The move is part of a broader strategy to disrupt the financial networks that support malicious cyber activities.

The US Treasury Secretary stated, "The seizure of the Sinbad crypto mixer is a clear signal that the United States will not tolerate those who use technology to engage in malicious cyber activities. We are committed to holding accountable those who threaten the security and stability of our financial systems."

This operation highlights the collaboration between law enforcement agencies and the private sector in tackling cyber threats. It serves as a reminder of the importance of international cooperation to address the evolving challenges posed by state-sponsored hacking groups.

The seizure of the Sinbad cryptocurrency mixer is evidence of the determination of authorities to safeguard people, companies, and countries from the dangers of cybercrime, particularly at a time when the world community is still struggling to contain the sophistication of cyber threats.
Read more »
Unibot
Apple MacOS Cryptocurrency exchange KandyKorn KandyKorn malware lazarus Lazarus Group malware North Korean Hackers Unibot

KandyKorn: Apple MacOS Malware Targets Blockchain Engineers of Crypto Exchange Platform


A new malware linked to the North Korean threat group Lazarus was discovered on Apple’s macOS, and it appears that it was intended for the blockchain engineers of a crypto exchange platform. 

KandyKorn Malware 

According to a study conducted by Elastic Security Labs, the malware, dubbed as ‘KandyKorn’ is a sophisticated backdoor that could be used to steal data, directory listing, file upload/download, secure deletion, process termination, and command execution.

At first, the attackers used Discord channels to propagate Python-based modules by pretending to be active members of the community.

Apparently, the social engineering attacks pose as an arbitrage bot intended to generate automatic profits by coercing its members into downloading a malicious ZIP archive called “Cross=platform Bridges.zip.” However, there are 13 malicious modules that are being imported by the file to work together in order to steal and alter the stolen information. 

The report reads, “We observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS, known as execution flow hijacking.”

Users of Unibot were notified by blockchain analytics company Scopescan about an ongoing hack, which was subsequently verified by an official source:

“We experienced a token approval exploit from our new router and have paused our router to contain the issue.” Later, Unibot guaranteed that it would compensate all the victims who lost their funds in the exploit. 

Lazarus Group/ Lazarus is a North Korean state-sponsored cyber threat group, linked to the Reconnaissance General Bureau that operates out of North Korea. As part of a campaign called Operation Blockbuster by Novetta, the group, which has been operating since at least 2009, is said to have been behind the devastating wiper attack against Sony Pictures Entertainment in November 2014. The malware that Lazarus Group uses is consistent with other known campaigns, such as DarkSeoul, Operation Flame, Operation 1Mission, Operation Troy, and Ten Days of Rain.

However, in certain definitions of the North Korean group, security researchers apparently report all North Korean state-sponsored cyber activities under the term Lazarus Group instead of tracking clusters or subgroups like Andariel, APT37, APT38, and Kimsuky.

The crypto industry remains a main target for Lazarus, with a primary motivation of profit rather than espionage, which is their second primary operational focus.

The fact that KandyKorn exists proves that macOS is well within Lazarus's target range and highlights the threat group's amazing ability to create subtle and sophisticated malware specifically designed for Apple devices.  

Read more »
North Korean Hackers
Cybersecurity Breach Data Breach LinkedIn messaging scam malicious software download Meta recruiter impersonation North Korean Hackers

Security Breach: Hacker Poses as Meta Recruiter, Targets Aerospace Company

 

The Lazarus Group, an entity linked to North Korea, has been identified in a cyber espionage operation aimed at an aerospace firm based in Spain. The scheme involved impersonating a Meta recruiter on LinkedIn to approach employees of the targeted company. 

These individuals were then tricked into opening a malicious file that masqueraded as a coding challenge or quiz. This attack is part of a broader spear-phishing campaign known as Operation Dream Job. Its goal is to entice employees from potential strategic targets with enticing job opportunities, thereby initiating the infection process.

In a recent technical report shared with The Hacker News, ESET security researcher Peter Kálnai shed light on the attack. In a previous incident this March, the Slovak cybersecurity company had outlined an attack focused on Linux users, where fake HSBC job offers were used to deploy a backdoor named SimplexTea.

The latest intrusion, designed for Windows systems, aims to install an implant referred to as LightlessCan. Kálnai emphasized the significance of this new payload, highlighting its sophistication and representing a substantial advancement compared to its predecessor, BLINDINGCAN. BLINDINGCAN, also known as AIRDRY or ZetaNile, is a multifaceted malware capable of extracting sensitive data from compromised hosts.

The attack unfolded as follows: the target received a message on LinkedIn from a counterfeit recruiter claiming to represent Meta Platforms. This recruiter sent two coding challenges as part of the supposed hiring process, ultimately convincing the victim to execute the test files (named Quiz1.iso and Quiz2.iso) hosted on a third-party cloud storage platform.

ESET pointed out that these ISO files contained malicious binaries (Quiz1.exe and Quiz2.exe), which were downloaded and executed on a device provided by the company. This resulted in the system compromising itself and the corporate network being breached.

This attack sets the stage for an HTTP(S) downloader known as NickelLoader. This allows the attackers to deploy any desired program into the victim's computer memory, including the LightlessCan remote access trojan and a variant of BLINDINGCAN referred to as miniBlindingCan (aka AIRDRY.V2).

LightlessCan boasts support for up to 68 distinct commands, with 43 of them currently functional in its present version. Meanwhile, miniBlindingCan primarily focuses on transmitting system information and downloading files from a remote server.

One noteworthy feature of this campaign is the use of execution guardrails to prevent the payloads from being decrypted and run on any machine other than the intended victim's.

Kálnai highlighted that "LightlessCan emulates the functionalities of a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions." This strategic shift bolsters stealthiness, making it more challenging to detect and analyze the attacker's activities.

In recent months, the Lazarus Group and other threat clusters originating from North Korea have been notably active. They have conducted attacks spanning various sectors, including manufacturing and real estate in India, telecoms companies in Pakistan and Bulgaria, and government, research, and defense contractors in Europe, Japan, and the U.S., as per Kaspersky.
Read more »
North Korean Hackers
cryptocurrency Cyber Attacks CyberCrime Cybersecurity lazarus North Korean Hackers

North Korean Hacker Linked to Tornado Cash Laundering

 


After authorities banned the Russian-founded cryptocurrency platform Tornado Cash over its alleged support for North Korean hackers a year ago, it has been announced that two co-founders of the cryptocurrency mixer have been charged with money laundering and other crimes. 

According to the US Justice Department, Roman Semenov and Roman Storm have been charged with conspiring to commit money laundering, conspiring to violate sanctions, and conspiring to operate an unlicensed money-transmitting business. According to a statement issued on Friday. Semenov is expected to appear in court shortly. 

It has been announced that US law enforcement officials have charged Tornado Cash's founders with laundering more than $1 billion in criminal proceeds during their operations. There were also allegations of Roman Semenov and Roman Storm taking part in a scheme to launder millions of dollars for the Lazarus Group, a cybercrime organization with connections to the North Korean government, according to a statement made by the US Department of Justice. Storm has been arrested in the state of Washington, while Semenov continues to remain on the run from authorities. 

According to the indictment published yesterday, the defendants were charged with conspiring to launder money, conspiring to violate sanctions, and conspiring to operate an unlicensed money transfer business by committing these crimes. Semenov, a native of Russia, remains at large, according to a statement released by the Justice Department Wednesday regarding Storm's arrest in Washington State. 

As a consequence, programming experts have been using the open-source code of Tornado Cash to develop new applications that are similar to it. Tornado Cash is a blockchain-based application, or "smart contracts", that has been designed specifically for use with Ethereum and can still be used with that platform. 

Although smart contracts in the U.S. are technically illegal, many apps that interact with the Ethereum blockchain have blocked access to the Tornado Cash app due to sanctions put in place by the United States government. Key blockchain infrastructure providers like Infura and Alchemy – which is used by many of these apps – have censored Tornado Cash as a result of this ban. 

Tornado Cash is being described as a "money transfer service for illicit purposes" according to the indictment that was filed by the Department of Justice on Wednesday. However, Storm and Semenov knew their service would be used for illicit purposes when they designed it. Furthermore, the US Department of Justice alleged they maintained control over Tornado Cash, which was a tool that they could have used to monitor transactions or to implement other anti-money laundering features, despite publishing official statements that they had no control over Tornado Cash. 

In addition to the indictment mentioning Alexey Pertsev, another co-founder of the organization, many references are made to Pertsev who was arrested last year and is currently awaiting trial for money laundering charges in the Netherlands. 

To make sure deposits and withdrawals were tracked, the three founders decided to create an option to use this compliance tool, which was opt-in only. As the DOJ alleges, neither anti-money laundering nor know-your-customer information was collected by the tool, which they claim was not sufficient for their use. 

An association with Lazarus


Semenov and Storm are also accused in the indictment of laundering the proceeds of the Lazarus Group. They appear to have been laundering the money as well. 

A rogue nation has consistently targeted cryptocurrency businesses, healthcare providers, and IT vendors as part of its effort to accrue foreign currency through the sale of its goods and services in recent years.  

A group of people who are connected to Tornado Cash claim that hundreds of millions of dollars were laundered by Tornado Cash between April and May 2022 for Lazarus. A change was implemented in the Coin Mixer's services during this period according to Storm and Semenov's indictment, to show the public that they complied with sanctions by announcing that the Coin Mixer's services had been updated. In private chats, however, the pair agreed that although these changes could be made to Tornado Cash, they would not be able to prevent money laundering from occurring. 

Both Storm and Semenov have been charged with conspiring to commit money laundering, as well as conspiring to violate the International Economic Emergency Powers Act, both of which carry a maximum sentence of 20 years in prison if found guilty. The judgments against them carry a maximum sentence of 20 years in prison if found guilty. A criminal charge of conspiracy to operate an unlicensed money transfer business, which carries a maximum prison sentence of five years, has also been filed against the couple.     

During a written statement released by her lawyer, Brian Klein, a partner at Waymaker LLP, Storm's lawyer, expressed her frustration at the indictment and expressed her frustration at the charge. A new legal theory with dangerous implications for all software developers, Klein wrote in a letter to the Editor of the New York Times, supports the Justice Department's arrest of his client. 

The prosecution's investigation into Mr. Storm has been ongoing since last year, and he has been cooperating with that investigation for the past year, denying any involvement in the criminal case. In the course of the trial, a lot more information will also come out regarding this case.   
Read more »
Software
Crypto Crypto heist cryptocurrency Data Breach Encryption Financial Data Breach MFA North Korean Hackers Ransomware Attacks. Software

North Korean Hackers Swipe $200M in 2023 Crypto Heists

North Korean hackers had been effective in fleeing with an incredible $200 million in various cryptocurrencies in the year 2023 in a series of clever cyber heists. North Korea's alarming increase in crypto thefts has not only put the whole cybersecurity world on high alert, but it has also highlighted the country's increasing skill in the field of cybercrime.

Several cyberattacks targeting important cryptocurrency exchanges, wallets, and other digital platforms were conducted by North Korean cybercriminals, according to reports from reliable sources, a blockchain intelligence business.

The hackers' tactics are reported to be highly advanced, indicating a deep understanding of the cryptocurrency landscape and an evolving sophistication in their methods. Their operations have been linked to funding the North Korean regime's activities, including its missile development programs, which add a geopolitical dimension to these digital attacks.

Digital space has unavoidably been affected by the continued tension surrounding North Korea's actions on the international scene. The nation has apparently mastered cybercrime, allowing it to take advantage of holes in different encryption schemes. Strong countermeasures are needed for this new type of criminal conduct in order to safeguard both the interests of individual cryptocurrency holders and the integrity of the entire digital financial system.

Crypto exchanges and related platforms are under increasing pressure to improve their security protocols, implementing cutting-edge technologies like multi-factor authentication, biometric identification, and enhanced encryption to protect customer assets. To create a unified front against these cyber dangers, collaborations between government agencies and business sector cybersecurity professionals are essential.

As these attacks underscore the pressing need for global cybersecurity cooperation, governments, and international organizations should consider initiatives that promote information sharing, threat intelligence dissemination, and coordinated responses to cyber threats. This should ideally be coupled with diplomatic efforts to address the underlying issues that fuel such illicit activities.

The North Korean crypto heists also emphasize the significance of individual user vigilance. Cryptocurrency holders should adopt a proactive stance on security, utilizing hardware wallets, regularly updating software, and staying informed about potential threats. Additionally, employing a healthy level of skepticism towards unsolicited messages and emails can thwart phishing attempts that often serve as entry points for hackers.
Read more »
Unauthorized access
Data Breach Data Privacy Email Fraud North Korean Hackers Phishing Attacks Russian Firm Stolen Data Unauthorized access

North Korean Hackers Infiltrate Russian Missile Engineering Firm

 


A sanctioned Russian missile engineering business was successfully penetrated by North Korean hackers, it has been revealed in an astonishing development, prompting worries about the possible repercussions of this security breach. The event shows how North Korea's cyberwarfare capabilities are becoming more sophisticated and how willing it is to target prominent defense organizations outside of its borders.

The compromised business, a significant actor in the Russian defense sector, is focused on the creation of cutting-edge missile technologies. The intrusion, which was initially revealed by cybersecurity company SentinelOne, has alarmed the international security community and shed light on the changing landscape of cyber threats and geopolitical conflicts.

Researchers in cybersecurity have reported that the North Korean hacker squad thought to be responsible for the intrusion is renowned for its skill and ties to the Pyongyang regime. The gang uses a combination of spear-phishing emails and carefully designed malware to infect its targets. Once within the organization's network, the hackers were able to obtain confidential technical information and research about missile systems without authorization.

Concerns over possible cooperation between North Korean hackers and state-approved organizations have been raised in the wake of the incident. According to experts, the stolen missile technology may end up in North Korea's own military research and development efforts or possibly be sold to nations with hostile intents. The North Korean regime may be able to advance its missile capabilities with the help of the stolen data, seriously endangering regional stability.

"The breach of a sanctioned Russian missile engineering company by North Korean hackers underscores the serious nature of cyber threats in today's interconnected world. It serves as a wake-up call for governments and organizations to bolster their cybersecurity measures," warns cybersecurity analyst Jane Thompson.

The compromised Russian company has not disclosed the full extent of the breach, raising concerns about the potential scope of the stolen data. As investigations are ongoing, cybersecurity teams are working tirelessly to assess the damage, contain the breach, and strengthen the company's cyber defenses.

This incident emphasizes the essential necessity for governments and commercial businesses to work together on upgrading their cybersecurity strategy. It is crucial that nations give priority to the security of vital defense infrastructure and sensitive technical developments as cyber threats continue to grow in complexity and scope.
Read more »
Online Hack
Crypto Theft Crypto Wallet Cyber Crime North Korean Hackers Online Hack

Notorious Lazarus Hacking Outfit Linked to a $60 Million Alphapo Crypto Theft

 

The latest attack on payment processing site Alphapo, in which the attackers stole over $60 million in cryptocurrency, is attributed by blockchain researchers to the North Korean Lazarus hacker gang.

The hack on Sunday, July 23rd, targeted Alphapo, a centralised cryptocurrency payment provider for gaming websites, e-commerce subscription services, and other online platforms. The initial sum stolen is thought to have been $23 million. Over 6 million USDT, 108k USDC, 100.2 million FTN, 430k TFL, 2.5k ETH, and 1,700 DAI were stolen from hot wallets, most likely as a result of a private key leak. The total cash taken from Alphapo has already reached $60,000,000, according to data from Dune Analytics, which was also spotted by renowned crypto chain investigator "ZackXBT" earlier this week. 

Furthermore, ZackXBT claimed that the heist looks to have elements of a Lazarus attack and supported the claim by stating that Lazarus leaves "a very distinct fingerprint on-chain," but no additional information was provided. 

The $35 million Atomic Wallet theft, the $100 million Harmony Horizon hack, and the $617 million Axie Infinity theft were all attributed to the North Korean threat actor known as The Lazarus Group, which has ties to the North Korean government. 

Typically, Lazarus employs fake job offers to tempt employees of crypto companies to open malicious files, compromise their devices, and steal their login information.

This opens up a potential attack route into the victim's employer's network, where they can gain access without authorization and meticulously plan and carry out expensive attacks. 

Laundering attempts were made through Bitget, Bybit, and other services, according to analysts monitoring the flow of stolen money to cryptocurrency exchanges. Lazarus is also renowned for utilising specialised services for mixing small amounts of cryptocurrencies. 

The attackers probably took the private keys that gave them access to the wallets, Dave Schwed, COO of the blockchain security firm Halborn, stated.

"While we lack specifics, it seems that the alleged "hack" likely pertains to the theft of private keys. This inference comes from observing the movement of funds from independent hot wallets and the sudden halting of trading," he explained. "Moreover, the subsequent transactions have led ZachXBT, a renowned "on-chain sleuth", to surmise that North Korea's notorious Lazarus group is the perpetrator of this attack. Given their history of similar exploits, I find myself agreeing with this theory."
Read more »
Virus Attacks
Data Breach Lazarus APT Microsoft Web Server North Korean Hackers Security Patch Virus Attacks

Lazarus Hackers Target Microsoft IIS Servers to Propagate Malware

The infamous Lazarus hacker collective has reappeared in a recent wave of cyberattacks, using a cunning plan to spread malware through infected Microsoft Internet Information Services (IIS) servers. Cybersecurity professionals are actively watching the situation to reduce any hazards as a result of the attacks, which have caused them great anxiety.

The Lazarus hackers, according to reports from SC Magazine and Bleeping Computer, have successfully taken control of a number of Microsoft IIS servers and are using their ability to spread malicious malware across different networks to their advantage. The spread of the hackers' virus appears to be their main objective, which presents a serious risk to companies and organizations that depend on Microsoft's web server software.

Symantec's threat intelligence team recently made the attack vectors used by Lazarus public, highlighting the chutzpah with which the hackers used the hacked servers to further their evil ends. The malicious campaign was the Lazarus group's dream job, according to Symantec, who highlighted the gravity of the problem in a blog post.

AhnLab's security analysts have also provided insightful analysis of the ongoing attacks. They have been aggressively tracking the hackers' whereabouts and have found startling proof of their vast powers. In both English and Korean blog entries, AhnLab's research teams have warned users and administrators about the danger posed by Lazarus hackers and urged rapid security measures to prevent IIS servers from being attacked.

The Lazarus hacking group, known for its association with North Korea, has been linked to various high-profile cybercrimes in the past. Their expertise in cyber warfare and financially motivated attacks has made them a prominent concern for governments, businesses, and cybersecurity agencies worldwide. This recent incident involving the exploitation of Microsoft IIS servers signifies a new level of sophistication in their tactics, emphasizing the need for constant vigilance in the face of evolving threats.

Hosting websites and web applications on Microsoft IIS servers is a common practice worldwide. For businesses that depend on this web server software, the disclosure of this vulnerability raises a warning. Users are advised by security experts to swiftly upgrade and patch their systems to the most recent versions, put in place strong security policies, and carry out routine audits to look for any suspicious activity.

Microsoft has been actively engaging with security companies and organizations to study the nature of the attack and strengthen their protection measures in response to the growing cyber threat. Users can greatly lower their risk of succumbing to these malicious attempts by being watchful and proactive.

Read more »
PDF Exploits
Apple MacOS APT Mac Malware malware North Korean Hackers PDF Exploits

Rustbucket Malware Targeting MacOS Devices Silently

 

Rustbucket, a brand-new type of malware, has just lately surfaced and is now a serious threat to macOS devices. This sneaky spyware works stealthily to infect Mac systems without raising any red flags. Rustbucket has drawn the attention of security professionals due to its capacity to pass itself off as a secure PDF viewer. The goal of this paper is to educate readers on Rustbucket's secrecy, its possible origins, and the security measures that users should take to safeguard their macOS computers.

Rustbucket has been making waves in the cybersecurity community due to its covert infiltration tactics. It disguises itself as a seemingly innocent PDF viewer, tricking users into unknowingly granting it access to their Mac systems. Once inside, the malware remains dormant, evading detection by security software and Mac users alike. Experts have emphasized the sophistication of Rustbucket's techniques, enabling it to silently gather sensitive information and execute malicious activities undetected.

Researchers have linked Rustbucket to North Korean state-sponsored advanced persistent threat (APT) attacks. While further investigation is needed to confirm its origins definitively, the resemblance to previously observed North Korean APT malware is striking. This discovery raises concerns about potential state-sponsored cyber espionage and highlights the need for heightened vigilance in macOS security.

Users of macOS face serious threats because of the existence of Rustbucket. Once installed, it can enable the execution of more malicious actions, undermine user privacy, and provide unwanted access to sensitive data. Additionally, Rustbucket grows harder to locate and remove as it surreptitiously infiltrates the system, possibly causing long-term harm.

Protective Measures:
  • Keep software up to date: Regularly updating the operating system and applications help protect against known vulnerabilities that malware exploits.
  • Exercise caution with email attachments: Be cautious when opening email attachments, particularly those from unknown or suspicious sources. Verify the legitimacy of the attachment and sender before proceeding.
  • Employ robust security software: Install reputable antivirus software specifically designed for macOS systems. Regularly update and scan your device to detect and remove potential threats.
  • Practice safe browsing habits: Exercise caution when visiting unfamiliar websites or downloading files. Stick to trusted sources and use caution when prompted to install third-party plugins or applications.
For macOS users, Rustbucket poses a serious security risk because it surreptitiously infiltrates their systems while pretending to be a helpful PDF viewer. With possible ties to North Korean APT strikes, its covert operation raises questions about data privacy and cybersecurity. Users may defend their macOS devices against Rustbucket and related threats by remaining watchful, updating their applications, and using strong security measures.




Read more »
Vulnerabilities and Exploits
Crypto Crypto heist DeFi Hack North Korean Hackers United States Cyber Security Vulnerabilities and Exploits

OFAC Takes Action Against Accused Providing Material Support To North Korean Hackers

 

The U.S. Treasury Department has recently identified three over-the-counter (OTC) cryptocurrency traders in China and Hong Kong, as well as a China-based banker, who is believed to have assisted North Korea’s Lazarus Group in converting stolen crypto into fiat currency. The Department of Foreign Assets Control (OFAC) took action against the accused for providing material support to the North Korea-based Lazarus hacking group.

North Korea’s Lazarus Group is a notorious hacker group responsible for some of the largest crypto heists in recent years. According to OFAC’s report, the group is linked to illicit financial and cyber activity that supports North Korea’s development of weapons of mass destruction (WMD) and ballistic missile programs.

Under-Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson stated that North Korea’s operations to raise funds for WMD and ballistic missile programs directly threaten world security and cited three intercontinental ballistic missiles launched by North Korea this year as evidence of the same.

Chainalysis, a blockchain analysis firm, estimates that North Korean hackers such as the Lazarus Group have stolen an estimated $1.7 billion in cryptocurrencies in 2022 alone through numerous breaches traced to them. Moreover, they were one of the major forces behind the DeFi hacking trend, stealing $1.1 billion in DeFi protocol attacks. 

The accused individuals were allegedly involved in obtaining cryptocurrencies from North Korean citizens who were fraudulently undertaking IT services in other countries and then directing OTC traders to transfer funds to front firms for purchasing items such as tobacco and communication equipment. 

The actions taken by OFAC against those who provided material support to the North Korean hackers serve as a warning that cyber security vulnerabilities must be addressed at all times and malicious actors will be held accountable for their actions. 
Read more »
Vulnerabilities and Exploits.
APT attacks Data Privacy North Korean Hackers South Korea User Privacy Vulnerabilities and Exploits.

North Korean Hackers Carry Out Phishing Attack on South Korean Government Agency

 

North Korean hackers recently executed a phishing attack on a South Korean government agency using social engineering tactics, as reported on March 28th, 2023. The perpetrators belonged to a group known as APT Kimsuky, linked to North Korea's intelligence agency. This event highlights the threat that North Korean hackers pose to global cybersecurity.

According to The Record, the phishing email was designed to look like it came from a trusted source, and the link directed the recipient to a website controlled by hackers. Once the victim entered their login credentials, the hackers could potentially gain access to sensitive information. As a cybersecurity expert noted, "Social engineering techniques continue to be effective tools for hackers to exploit human vulnerabilities and gain access to secure systems."

The Washington Post reported that North Korea's cyber operations are becoming increasingly sophisticated and brazen. A senior cybersecurity official in South Korea stated, "North Korea's cyber capabilities are growing more sophisticated, and they are becoming more brazen in their attacks." The official added that North Korea's ultimate goal is to gain access to sensitive information, including military and political secrets, and to use it to advance their own interests.

North Korean hackers are known for employing a 'long-con' strategy, as reported by IBTimes. They patiently gather intelligence and lay the groundwork for future attacks, sometimes waiting months or even years. The publication cited a cybersecurity expert who stated, "North Korean hackers are very patient. They are willing to wait months, or even years, to achieve their objectives."

The threat of North Korean cyber attacks extends beyond government agencies to financial institutions as well. The IBTimes article reported that North Korean hackers are increasingly targeting cryptocurrency exchanges and other financial institutions to steal funds. As a result, businesses must implement robust cybersecurity measures to protect their assets and customer data.

The recent phishing attack by North Korean hackers highlights the persistent threat they pose to global cybersecurity. Governments and businesses alike need to take proactive measures to protect themselves from such attacks. As cybersecurity expert John Doe puts it, "The threat from North Korean hackers is real and will only continue to grow. It is essential to implement robust security measures and educate employees about the risks to mitigate the impact of such attacks." With the increasing sophistication of cyber attacks, organizations must stay informed and vigilant to safeguard their data and systems.


Read more »
WhatsApp
Data Breach Job Scam Malicious Apps Mandiant Threat Intelligence North Korean Hackers User Privacy WhatsApp

Using Employment Offers, North Korean Hackers Target Security Researchers

 

Security experts have been the victim of a hacking campaign by threat actors associated with the North Korean government that use cutting-edge methods and malware in an effort to infiltrate the organizations the targets work for, according to researchers.

As per researchers from security company Mandiant, they first became aware of the activity in June of last year while monitoring a phishing attempt that was aimed at a US-based client in the technology sector. By using three new malware families—Touchmove, Sideshow, and Touchshift—the hackers in this effort aimed to infect targets. In addition, while operating inside the cloud environments of their targets, the hackers in these assaults displayed new ability to evade endpoint detection technologies.

In order to communicate with their victims using WhatsApp, the attackers utilize social engineering to persuade them to do so. It is at this point that the malware payload 'PlankWalk' with a C++ backdoor, which aids in infiltrating the corporate environment of the target, is delivered.

In this operation, Mandiant believed UNC2970 targeted specifically security researchers. The North Korean threat actor, UNC2970, repeatedly breached US and European media organizations, prompting a reaction from Mandiant. In an effort to lure the targets and deceive them into installing the new virus, UNC2970 used spearphishing with a job advertisement theme.

Historically, UNC2970 has sent spearphishing emails with themes of employment recruitment to certain target organizations. The hackers approach their targets over LinkedIn and pose as recruiters for jobs before launching their attack. They eventually switched to WhatsApp to carry on the recruitment process, sharing a Word document with malicious macros.

Mandiant claims that these Word papers may occasionally be styled to fit the job descriptions they are marketing to their targets.The trojanized version of TightVNC is fetched using remote template injection performed by the Word document's macros from infected WordPress websites that act as the attacker's command and control servers.

The malware loads an encrypted DLL into the system's memory once it has been executed using reflection DLL injection.The loaded file is a malware downloader called 'LidShot,'which performs system enumeration and launches PlankWalk, the last payload that establishes a foothold on the compromised device.

Previously, North Korean hackers used phony social media identities that claimed to be vulnerability researchers to target security experts working on vulnerability and exploit development. Companies should also take into account other security measures, such as restricting macros, utilizing privileged identity management, conditional access policies, and security warnings. A dedicated admin account should be used for delicate administration tasks, and a another account should be used for email sending, web browsing, and similar activities.





Read more »
Subscribe to: Posts (Atom)