North Korean Hackers Specialise In Financial Theft

Uploaded on 2020-01-13 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Financial

North Korean hackers have for years been using different tactics to run cyber-enabled financial thefts, most recently using fake companies to compromise cryptocurrency-related businesses. Now the hacking outfit has been tweaking some of its malware, delivery mechanisms, and payloads in an attempt to decrease their chances of getting caught.

According to a United Nations Report hackers have been used to steal the huge sums of money N. Korea needs to fund its nuclear weapons program,  using a network of the fake companies and websites to hide behind. These fake idnetities rarely pass close inspection test, the links on these weaponised websites don’t always work. Now, hackers known as Lazarus Group or APT38 have been getting increasingly careful in other areas, according to new Kaspersky Lab research.  

Lazarus has been a major threat actor in the APT arena for several years. Alongside goals like cyberespionage and cyber sabotage, the attacker has been targeting banks and other financial companies around the globe. 

Over the last few months, Lazarus has successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies.

In the last two years, multiple researchers have revealed some of Lazarus Group’s latest antics relying on front companies. The hackers have been using a fake company, “JMT Trading,” to install backdoors to funnel funds to Pyongyang, multiple researchers revealed in 2019, for example. The year before, hackers were using another fake company, “Celas Trade Pro,” to target cryptocurrency exchanges. They have also used a fake website and company called “UnionCryptoTrader.”

In some cases they have developed their own macOS malware, with an authentication mechanism built in to deliver a secondary payload directly from memory. In the Windows version of the malware, Lazarus Group has updated its multi-stage infection process and changed the final payload it delivers.

Kaspersky has also identified several victims in the UK, Poland, Russia, and China and several of the victims are linked to cryptocurrency business entities.

Lazarus Group 
North Korean hacking campaigns have traditionally been focused on avoiding detection and tricking victims to unwittingly help fill out the DPRK’s coffers, which have been hampered in recent years as a result of economic sanctions. 
But some of the campaigns details reveal that beyond just changing its tactics to evade detection, Lazarus Group has also been more selective in choosing victims.

In a campaign targeting Windows users, for instance, attackers have included a final payload that is designed to run only on certain systems that appear to be predesignated, according to Kaspersky.
“Upon launch, the malware retrieves the victim’s basic system information … If the response code from the C2 server is 200, the malware decrypts the payload and loads it in memory,” Kaspersky researchers write. “The final payload … was designed to run only on certain systems.”

The apparent increased specificity in targeting could indicate Lazarus Group is using previously gleaned intelligence, possibly from other hacking campaigns, to maximise its current fundraising efforts.

Research suggests that Lazarus Group delivered this highly targeted malware using Telegram, because it was executed from the Telegram messenger download folder. The goal of the campaign, aside from the obvious financial motivations, are not yet entirely clear.

SecureList:        Bloomberg:        Cyberscoop:

You Might Also Read:

N. Korea’s Hackers Stole $2b To Fund Its Missile Program:

 

« Unintended Consequences As Iran Admits It Destroyed Ukrainian Passenger Jet
Artificial & Augmented Intelligence Is Re-Making Banking »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Teradata

Teradata

Teradata is a leading provider of enterprise big data analytics and services. Applications include Cyber Security Analytics.

Digital Detective

Digital Detective

Digital Detective offer a range of products and services for digital forensic analysis and advanced data recovery.

Threatspan

Threatspan

Threatspan is a cybersecurity firm helping shipping and maritime enterprises achieve and maintain nautical resilience in an age of increasing cyber threats.

American Cybersecurity Institute

American Cybersecurity Institute

American cybersecurity Institute is a newly formed not-for-profit organization dedicated to education, advocacy, study and analysis in the space of cybersecurity law and policy.

Insight Partners

Insight Partners

Insight Partners is a leading global private equity and venture capital firm investing in growth-stage technology, software and Internet businesses.

McIntyre Associates

McIntyre Associates

McIntyre Associates is an Executive Search boutique specialized in recruiting for the Cybersecurity industry. Our clients range from Venture Capital backed startups to Fortune 100 companies.

Verificient Technologies

Verificient Technologies

Verificient Technologies specializes in biometrics, computer vision, and machine learning to deliver world-class solutions in continuous identity verification and remote monitoring.

ditno

ditno

ditno uses machine learning to help you build a fully governed and micro-segmented network. Dramatically mitigate risk and prevent lateral movement across your organisation – all from one centralised

Wickr

Wickr

Wickr's mission is to secure the world's most critical communications. Wickr provides the highest standard of encryption trusted by millions worldwide.

Cyber Resilience Centre for Wales (WCRC)

Cyber Resilience Centre for Wales (WCRC)

The Cyber Resilience Centre for Wales (WCRC) is part of the national roll out of Cyber Resilience Centres in the UK which began in 2019.

Beyon Cyber

Beyon Cyber

Beyon Cyber offer a complete portfolio of advanced solutions & services for cyber security in Bahrain.

Trustaira

Trustaira

Trustaira is the first deep tech solution and service company in Bangladesh.

CyberGrape

CyberGrape

CyberGrape is a client centric managed services company, providing enterprise leading security solutions and helping companies through their IT risk and security challenges.

Cyber Security Certification Australia (CSCAU)

Cyber Security Certification Australia (CSCAU)

CSCAU is the world’s first 'for mission' industry council set up to address small and medium-sized business (SMB) cyber resilience through annually updated certifiable standards.

Karthik Consulting (KC)

Karthik Consulting (KC)

Karthik Consulting is a technology service provider specializing in IT services for the U.S. federal government.

Prequel

Prequel

Prequel is your real-time problem detection and resolution platform, powered by the global reliability community.