Lazarus Group With New Crypto Scam Plan Through App Spreading Malware
Volexity, a cybersecurity firm located in Washington, D.C., has linked Lazarus, a North Korean hacker organization already sanctioned by the US government, to a threat involving the use of a cryptocurrency site to infect computers and steal information and crypto from third parties.
According to a blog post published on December 1, Lazarus registered a domain named “bloxholder.com” in June, which would eventually be formed as a business offering services of automatic crypto trading.
(We recommend that you do not visit the website to avoid property theft)
Using this site as a front, Lazarus prompted users to download an app that served as a payload for the Applejeus malware, which was designed to steal private keys and other data from the users’ systems.
Lazarus has previously employed the same strategy. This new scheme, on the other hand, employs a technique that allows the application to confuse and slow down malware detection tasks.
The Lazarus hacker gang was delivering AppleJeus malware using maliciously. MS Office documents labeled OKX, Binance & Huobi VIP fee comparision.xls instead of an MSI installer, according to Volexity researchers. This change was noted in October 2022.
The infected document contains a two-part macro. The first decoded a base64 blob that included a second OLE object with a second macro.
Furthermore, the initial document contains a number of variables encoded with base 64 to allow the virus to be distributed in the targeted system. The hackers also utilized OpenDrive to distribute the final stage payload.
However, researchers have been unable to recover the final payload sent since October. They discovered parallels between the DLL Side-loading process and the assaults employing the MSI installation.
DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.
Join us to keep track of news: https://linktr.ee/coincu