North Korean Hackers Specialise In Financial Theft

North Korean hackers have for years been using different tactics to run cyber-enabled financial thefts, most recently using fake companies to compromise cryptocurrency-related businesses. Now the hacking outfit has been tweaking some of its malware, delivery mechanisms, and payloads in an attempt to decrease their chances of getting caught.

According to a United Nations Report hackers have been used to steal the huge sums of money N. Korea needs to fund its nuclear weapons program,  using a network of the fake companies and websites to hide behind. These fake idnetities rarely pass close inspection test, the links on these weaponised websites don’t always work. Now, hackers known as Lazarus Group or APT38 have been getting increasingly careful in other areas, according to new Kaspersky Lab research.  

Lazarus has been a major threat actor in the APT arena for several years. Alongside goals like cyberespionage and cyber sabotage, the attacker has been targeting banks and other financial companies around the globe. 

Over the last few months, Lazarus has successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies.

In the last two years, multiple researchers have revealed some of Lazarus Group’s latest antics relying on front companies. The hackers have been using a fake company, “JMT Trading,” to install backdoors to funnel funds to Pyongyang, multiple researchers revealed in 2019, for example. The year before, hackers were using another fake company, “Celas Trade Pro,” to target cryptocurrency exchanges. They have also used a fake website and company called “UnionCryptoTrader.”

In some cases they have developed their own macOS malware, with an authentication mechanism built in to deliver a secondary payload directly from memory. In the Windows version of the malware, Lazarus Group has updated its multi-stage infection process and changed the final payload it delivers.

Kaspersky has also identified several victims in the UK, Poland, Russia, and China and several of the victims are linked to cryptocurrency business entities.

Lazarus Group 
North Korean hacking campaigns have traditionally been focused on avoiding detection and tricking victims to unwittingly help fill out the DPRK’s coffers, which have been hampered in recent years as a result of economic sanctions. 
But some of the campaigns details reveal that beyond just changing its tactics to evade detection, Lazarus Group has also been more selective in choosing victims.

In a campaign targeting Windows users, for instance, attackers have included a final payload that is designed to run only on certain systems that appear to be predesignated, according to Kaspersky.
“Upon launch, the malware retrieves the victim’s basic system information … If the response code from the C2 server is 200, the malware decrypts the payload and loads it in memory,” Kaspersky researchers write. “The final payload … was designed to run only on certain systems.”

The apparent increased specificity in targeting could indicate Lazarus Group is using previously gleaned intelligence, possibly from other hacking campaigns, to maximise its current fundraising efforts.

Research suggests that Lazarus Group delivered this highly targeted malware using Telegram, because it was executed from the Telegram messenger download folder. The goal of the campaign, aside from the obvious financial motivations, are not yet entirely clear.

SecureList:        Bloomberg:        Cyberscoop:

You Might Also Read:

N. Korea’s Hackers Stole $2b To Fund Its Missile Program:

 

« Unintended Consequences As Iran Admits It Destroyed Ukrainian Passenger Jet
Artificial & Augmented Intelligence Is Re-Making Banking »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

WEBINAR: How To Build And Implement An Effective Endpoint Detection And Response Strategy

WEBINAR: How To Build And Implement An Effective Endpoint Detection And Response Strategy

Join this webinar to learn how the cloud threat landscape is evolving and organizations are deploying more advanced and capable security controls at scale.

Shavlik Protect

Shavlik Protect

Shavlik Protect is an easy-to-use security software solution that discovers missing patches and deploys them to the entire organization.

IGEL Technology

IGEL Technology

IGEL Technology is one of the world's leading thin client vendors. Thin clients increase data security and compliance.

Lakeside Software

Lakeside Software

Lakeside Software provides workspace analytics for desktop transformation, asset optimization, security, incident resolution, and continuous assessment.

TechDefence Labs

TechDefence Labs

TechDefence Labs provide pentesting and security assessment services for networks, web apps, mobile apps and source code reviews.

Dataglobal

Dataglobal

Dataglobal is an industry-leading provider of Information Archiving/Governance and Unified Data Classification solutions.

Firmitas Cyber Solutions

Firmitas Cyber Solutions

Firmitas’ ValidiGate is a disruptive attack-prevention solution providing operational assurance and security for industrial and mission-critical systems.

Somansa

Somansa

Somansa is a global leader in Data Security and Compliance solutions designed to protect valuable company information from leakage and help meet regulatory compliance requirements.

ThreatSpike Labs

ThreatSpike Labs

ThreatSpike Labs provides the first end-to-end fully managed security service for companies of all sizes.

Global Cyber Alliance (GCA)

Global Cyber Alliance (GCA)

Global Cyber Alliance is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world.

Stealth-ISS Group

Stealth-ISS Group

Stealth–ISS Group is your extended IT, cyber security, risk and compliance team, providing strategic guidance, engineering and audit services, along with technical remediation and security operations.

Intracom Telecom

Intracom Telecom

Intracom Telecom is a global telecommunication systems & solutions vendor offering a complete range of professional services and solutions including Information Security.

Deeper Network

Deeper Network

Deeper Network represents the world's first decentralized blockchain network for building a truly private, secure and fair Internet.

Advantex Network Solutions

Advantex Network Solutions

Advantex Network Solutions are a leading provider in Mitel, IT Solutions, Networking, and iP surveillance.

Fibernet

Fibernet

Fibernet's innovative solutions in the fields of cybersecurity and fiber optics range from telecommunications infrastructure to small business cybersecurity.

Helix Security Services

Helix Security Services

Helix Security provides IT & information security consultancy to government and businesses across New Zealand.

Transatlantic Cyber Security Business Network

Transatlantic Cyber Security Business Network

The Transatlantic Cyber Security Business Network is a coalition of UK and US cyber security companies which facilitates collaboration to help address critical cyber security challenges.