North Korean Hackers Specialise In Financial Theft

North Korean hackers have for years been using different tactics to run cyber-enabled financial thefts, most recently using fake companies to compromise cryptocurrency-related businesses. Now the hacking outfit has been tweaking some of its malware, delivery mechanisms, and payloads in an attempt to decrease their chances of getting caught.

According to a United Nations Report hackers have been used to steal the huge sums of money N. Korea needs to fund its nuclear weapons program,  using a network of the fake companies and websites to hide behind. These fake idnetities rarely pass close inspection test, the links on these weaponised websites don’t always work. Now, hackers known as Lazarus Group or APT38 have been getting increasingly careful in other areas, according to new Kaspersky Lab research.  

Lazarus has been a major threat actor in the APT arena for several years. Alongside goals like cyberespionage and cyber sabotage, the attacker has been targeting banks and other financial companies around the globe. 

Over the last few months, Lazarus has successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies.

In the last two years, multiple researchers have revealed some of Lazarus Group’s latest antics relying on front companies. The hackers have been using a fake company, “JMT Trading,” to install backdoors to funnel funds to Pyongyang, multiple researchers revealed in 2019, for example. The year before, hackers were using another fake company, “Celas Trade Pro,” to target cryptocurrency exchanges. They have also used a fake website and company called “UnionCryptoTrader.”

In some cases they have developed their own macOS malware, with an authentication mechanism built in to deliver a secondary payload directly from memory. In the Windows version of the malware, Lazarus Group has updated its multi-stage infection process and changed the final payload it delivers.

Kaspersky has also identified several victims in the UK, Poland, Russia, and China and several of the victims are linked to cryptocurrency business entities.

Lazarus Group 
North Korean hacking campaigns have traditionally been focused on avoiding detection and tricking victims to unwittingly help fill out the DPRK’s coffers, which have been hampered in recent years as a result of economic sanctions. 
But some of the campaigns details reveal that beyond just changing its tactics to evade detection, Lazarus Group has also been more selective in choosing victims.

In a campaign targeting Windows users, for instance, attackers have included a final payload that is designed to run only on certain systems that appear to be predesignated, according to Kaspersky.
“Upon launch, the malware retrieves the victim’s basic system information … If the response code from the C2 server is 200, the malware decrypts the payload and loads it in memory,” Kaspersky researchers write. “The final payload … was designed to run only on certain systems.”

The apparent increased specificity in targeting could indicate Lazarus Group is using previously gleaned intelligence, possibly from other hacking campaigns, to maximise its current fundraising efforts.

Research suggests that Lazarus Group delivered this highly targeted malware using Telegram, because it was executed from the Telegram messenger download folder. The goal of the campaign, aside from the obvious financial motivations, are not yet entirely clear.

SecureList:        Bloomberg:        Cyberscoop:

You Might Also Read:

N. Korea’s Hackers Stole $2b To Fund Its Missile Program:

 

« Unintended Consequences As Iran Admits It Destroyed Ukrainian Passenger Jet
Artificial & Augmented Intelligence Is Re-Making Banking »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Tendo Solutions

Tendo Solutions

Tendo Solutions provides intelligence, security, forensics and risk solutions to clients across different sectors and jurisdictions.

Cyber Security Experts Association of Nigeria (CSEAN)

Cyber Security Experts Association of Nigeria (CSEAN)

Cyber Security Experts Association of Nigeria (CSEAN) is a not for profit group of professionals in the field of Information Security in Nigeria and Diaspora.

Bulletproof Cyber

Bulletproof Cyber

Bulletproof offer a range of security services, from penetration testing and vulnerability assessments to 24/7 security monitoring, and consultancy.

Sumo Logic

Sumo Logic

Sumo Logic simplifies how you collect and analyze machine data so that you can gain deep visibility across your full application and infrastructure stack.

QOMPLX

QOMPLX

QOMPLX integrate, contextualize, and analyze data from virtually any source to help you identify operational risk and inefficiencies throughout the enterprise.

LUCY Security

LUCY Security

LUCY is the answer when you want to increase your IT security, maintain your cyber security awareness, or test your IT defenses.

SEEK

SEEK

SEEK create world-class technology solutions to address the needs of job seekers and hirers across multiple sectors including cybersecurity.

Kickstart

Kickstart

Kickstart supports your startup in scaling deep technology businesses in Switzerland in areas such as AI, Blockchain and Cybersecurity.

SecureNation

SecureNation

SecureNation offers a wide variety of cutting-edge technologies and IT services to address almost any of your information security, network security and information assurance needs.

Hunter Strategy

Hunter Strategy

Hunter Strategy focuses on delivering solutions that are concise, scalable, and target our customer’s complex technical challenges.

OSC Edge

OSC Edge

OSC was founded with the vision of providing expert solutions in IT to government and businesses. OSC Edge empowers organizations with solutions that prepare them for today and tomorrow.

NASK

NASK

NASK is a National Research Institute under the supervision of the Chancellery of the Prime Minister of Poland. Our key activities involve ensuring security online.

AT&T Cybersecurity

AT&T Cybersecurity

AT&T Cybersecurity’s Edge-to-Edge technologies provide threat intelligence, collaborative defense, security without the seams, and solutions that fit your business.

Cyderes

Cyderes

Cyderes (Cyber Defense and Response) is a global, pure-play, full life-cycle cyber security services provider formed from the merger of Herjavec Group and Fishtech Group in 2022.

Frontier Technology Inc. (FTI)

Frontier Technology Inc. (FTI)

Frontier Technology Inc provides the technology and deep data expertise to drive the best defense and intelligence solutions.

Complete Cyber

Complete Cyber

Complete Cyber provide professional cybersecurity services and products to help secure your infrastructure, systems and data.