A group of hackers based in North Korea called Lazarus has been using Windows and macOS malware to target unsuspecting victims through the Internet. The hacker group has been associated with other attacks. Lately, they have been targeting developers and artists in the crypto space.
The Lazarus hacking group has been running a campaign called "Operation In(ter)ception" since 2020. Other than their previous attacks, they have their eyes set on Crypto.com- one of the world's leading cryptocurrency exchange platforms. Their goal is likely to steal digital assets and cryptocurrency.
According to BleepingComputer, their goal is tricking targets into opening malicious files that serve as a Trojan horse. This will then infect the systems of the target with malware. The malware will be used to breach the internal networks of crypto companies and proceed to steal cryptocurrency, NFTs, and/or conduct espionage.
What Are The Tactics of The Lazarus Hacking Group?
Their typical approach is offering lucrative job opportunities via LinkedIn. The pose as a large and seemingly legitimate company. The same way as they did before with the macOS malware, they would send a 26-page PDF file that contains the alleged job offer and details at Crypto.com
The Mach-O binary will create a folder in the user's Library directory where the second and third-stage files will be placed. The second stage is the "WifiAnalyticsServ.app," which will load a persistence agent that eventually connects to the C2 server to fetch the final payload.
Security researchers failed to obtain the final payload due to the server being offline at the time of their investigation, but they did notice characteristics similar to "Operation In(ter)ception" campaigns.
According to SentinelOne, the hackers made no effort to conceal or encrypt any of the binaries. This could mean that their campaigns are only short-term or that they are confident that they will not be detected.
The binaries were signed with an ad hoc signature, which simply means that they will pass Apple's Gatekeeper checks even if they are associated with a recognized developer identity.
The Victims of the Lazarus Hacking Group
One of their greatest digital heists is associated with the blockchain-based game Axie Infinity. It is an app where users would earn just by playing the game as much as they could.
In April, the U.S. Treasury and the FBI linked the hacking group with the cyberattack that caused Axie Infinity to lose over $617 million worth of the cryptocurrency Ethereum and USDC tokens.
The hack was made possible when one of the blockchain engineers opened a laced PDF file containing a lucrative job offer.
Previously, security researchers also discovered targeted attacks within high-profile aerospace and military companies. They used the same tactic by posing as HR representatives for well-known companies in the aerospace and defense industries.
As mentioned by welivesecurity, they also used LinkedIn to reach out to the targets using fake job offers. They avoided detection by using techniques including code signing, regular malware recompilation, and impersonating legitimate software and companies.
Related Article: Axie Infinity Recovers $30 Million Worth of Cryptocurrency From Lazarus Hackers
