North Korean Hackers Specialise In Financial Theft

North Korean hackers have for years been using different tactics to run cyber-enabled financial thefts, most recently using fake companies to compromise cryptocurrency-related businesses. Now the hacking outfit has been tweaking some of its malware, delivery mechanisms, and payloads in an attempt to decrease their chances of getting caught.

According to a United Nations Report hackers have been used to steal the huge sums of money N. Korea needs to fund its nuclear weapons program,  using a network of the fake companies and websites to hide behind. These fake idnetities rarely pass close inspection test, the links on these weaponised websites don’t always work. Now, hackers known as Lazarus Group or APT38 have been getting increasingly careful in other areas, according to new Kaspersky Lab research.  

Lazarus has been a major threat actor in the APT arena for several years. Alongside goals like cyberespionage and cyber sabotage, the attacker has been targeting banks and other financial companies around the globe. 

Over the last few months, Lazarus has successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies.

In the last two years, multiple researchers have revealed some of Lazarus Group’s latest antics relying on front companies. The hackers have been using a fake company, “JMT Trading,” to install backdoors to funnel funds to Pyongyang, multiple researchers revealed in 2019, for example. The year before, hackers were using another fake company, “Celas Trade Pro,” to target cryptocurrency exchanges. They have also used a fake website and company called “UnionCryptoTrader.”

In some cases they have developed their own macOS malware, with an authentication mechanism built in to deliver a secondary payload directly from memory. In the Windows version of the malware, Lazarus Group has updated its multi-stage infection process and changed the final payload it delivers.

Kaspersky has also identified several victims in the UK, Poland, Russia, and China and several of the victims are linked to cryptocurrency business entities.

Lazarus Group 
North Korean hacking campaigns have traditionally been focused on avoiding detection and tricking victims to unwittingly help fill out the DPRK’s coffers, which have been hampered in recent years as a result of economic sanctions. 
But some of the campaigns details reveal that beyond just changing its tactics to evade detection, Lazarus Group has also been more selective in choosing victims.

In a campaign targeting Windows users, for instance, attackers have included a final payload that is designed to run only on certain systems that appear to be predesignated, according to Kaspersky.
“Upon launch, the malware retrieves the victim’s basic system information … If the response code from the C2 server is 200, the malware decrypts the payload and loads it in memory,” Kaspersky researchers write. “The final payload … was designed to run only on certain systems.”

The apparent increased specificity in targeting could indicate Lazarus Group is using previously gleaned intelligence, possibly from other hacking campaigns, to maximise its current fundraising efforts.

Research suggests that Lazarus Group delivered this highly targeted malware using Telegram, because it was executed from the Telegram messenger download folder. The goal of the campaign, aside from the obvious financial motivations, are not yet entirely clear.

SecureList:        Bloomberg:        Cyberscoop:

You Might Also Read:

N. Korea’s Hackers Stole $2b To Fund Its Missile Program:

 

« Unintended Consequences As Iran Admits It Destroyed Ukrainian Passenger Jet
Artificial & Augmented Intelligence Is Re-Making Banking »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

SOTI

SOTI

SOTI is an industry leader in Enterprise Mobility Management (EMM).

BioCatch

BioCatch

BioCatch uses behavioral biometrics for fraud prevention and detection. Continuous authentication for web and mobile applications to prevent new account fraud.

Resolver

Resolver

Resolver’s Integrated Risk Management platform helps plan and prepare your organization to limit the likeliness or impact of security risk and compliance events from occurring.

UM Labs

UM Labs

UM Labs is a developer of security products for Voice over IP (VoIP), protecting SIP trunk connections, safeguarding mobile phone communications and enabling BYOD.

Digittrade

Digittrade

Digittrade develop and produce external encrypted hard disks and secure communications apps.

Netsafe

Netsafe

Netsafe is an independent, non-profit New Zealand organisation focused on online safety. We help people stay safe online by providing online safety education, advice and support.

MedCrypt

MedCrypt

MedCrypt are a team of medical device experts focused on bringing modern cybersecurity features to the next generation of healthcare technology.

Portuguese Institute for Accreditation (IPAC)

Portuguese Institute for Accreditation (IPAC)

IPAC is the national accreditation body for Portugal. The directory of members provides details of organisations offering certification services for ISO 27001.

Recruit.net

Recruit.net

Recruit.net allows job seekers to instantly find millions of jobs from thousands of web sites with a single search.

DCX Technology

DCX Technology

Recognized as a leader in security services, DXC Technology help clients prevent potential attack pathways, reduce cyber risk and improve threat detection and incident response.

Nameshield Group

Nameshield Group

Nameshield is one of most experienced domain name registrars, trademark protection specialists and managers of online reputational risk in the world today.

CyberClan

CyberClan

CyberClan’s carefully selected team of experts is capable of solving complex cyber security challenges – keeping your data secure and your businesses running as usual.

Concorde Technology Group

Concorde Technology Group

Concorde Technology Group is one of the UK’s leading IT support and services providers, delivering cost-effective and innovative IT solutions to businesses across the country.

Amplifier Security

Amplifier Security

Amplifier Security are on a mission to empower security teams to modernize their practice by connecting the dots between their security stack and their people.

Highway Ventures

Highway Ventures

HIGHWAY Ventures is a startup studio that builds cybersecurity and vertical AI companies in Northwest Arkansas from technology developed within the federal lab ecosystem.

Sailo Technologies

Sailo Technologies

Sailo.Technologies is a revolutionary company in Blockchain security, integrating advanced cryptographic technologies to defend transactions and digital assets.