In the last 18 months, North Korea-linked Lazarus APT group has continued to target
cryptocurrency exchanges evolving its TTPs.
Kaspersky researchers have analyzed the attacks carried out by North Korea-linked Lazarus APT group in the past 18 months and confirmed their interest in banks and
In the mid-2018, the APT targeted
“While investigating a
“It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to.”
After releasing Operation AppleJeus, the Lazarus group carried out other attacks against
The malware did not have an encryption/decryption routine for network communication a circumstance that suggest it was still under development.
One victim was compromised by Windows AppleJeus malware in March 2019, experts determined that the infection started from a malicious file named WFCUpdater.exe.
The experts pointed out that while the Windows malware used in the campaign only had small changes, the
- The actor used GitHub in order to host their malicious applications.
- The malware author used Object-C instead of QT framework in their macOS malware.
- The malware implemented a simple backdoor function in macOS executable.
- The malware encrypted/decrypted with a 16-byte XOR key (X,%`PMk–Jj8s+6=) similar to the previous case.
- The Windows version of the malware used ADVobfuscator, a compiled time obfuscator, in order to hide its code.
- The post-install script of macOS malware differed significantly from the previous version.
Recently Kaspersky detected a new
Some of the payloads were executed in memory, with a backdoor payload delivered in the final step of the attack chain.
“This final payload was designed to run only on certain systems. It seems that the malware authors produced and delivered malware that only works on specific systems based on previously collected information. The malware checks the infected system’s information and compares it to a given value.” continues the report. “It seems the actor wants to execute the final payload very carefully, and wants to evade detection by
Kaspersky identified several victims of Operation AppleJeus sequel, most of them were in the UK, Poland, Russia and China, and experts pointed out that many of them are linke
“The actor altered their
(SecurityAffairs – Lazarus APT group, hacking)
The post North Korea-linked Lazarus APT continues to target cryptocurrency exchanges appeared first on Security Affairs.