North Korean Hackers Specialise In Financial Theft

Uploaded on 2020-01-13 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Financial

North Korean hackers have for years been using different tactics to run cyber-enabled financial thefts, most recently using fake companies to compromise cryptocurrency-related businesses. Now the hacking outfit has been tweaking some of its malware, delivery mechanisms, and payloads in an attempt to decrease their chances of getting caught.

According to a United Nations Report hackers have been used to steal the huge sums of money N. Korea needs to fund its nuclear weapons program,  using a network of the fake companies and websites to hide behind. These fake idnetities rarely pass close inspection test, the links on these weaponised websites don’t always work. Now, hackers known as Lazarus Group or APT38 have been getting increasingly careful in other areas, according to new Kaspersky Lab research.  

Lazarus has been a major threat actor in the APT arena for several years. Alongside goals like cyberespionage and cyber sabotage, the attacker has been targeting banks and other financial companies around the globe. 

Over the last few months, Lazarus has successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies.

In the last two years, multiple researchers have revealed some of Lazarus Group’s latest antics relying on front companies. The hackers have been using a fake company, “JMT Trading,” to install backdoors to funnel funds to Pyongyang, multiple researchers revealed in 2019, for example. The year before, hackers were using another fake company, “Celas Trade Pro,” to target cryptocurrency exchanges. They have also used a fake website and company called “UnionCryptoTrader.”

In some cases they have developed their own macOS malware, with an authentication mechanism built in to deliver a secondary payload directly from memory. In the Windows version of the malware, Lazarus Group has updated its multi-stage infection process and changed the final payload it delivers.

Kaspersky has also identified several victims in the UK, Poland, Russia, and China and several of the victims are linked to cryptocurrency business entities.

Lazarus Group 
North Korean hacking campaigns have traditionally been focused on avoiding detection and tricking victims to unwittingly help fill out the DPRK’s coffers, which have been hampered in recent years as a result of economic sanctions. 
But some of the campaigns details reveal that beyond just changing its tactics to evade detection, Lazarus Group has also been more selective in choosing victims.

In a campaign targeting Windows users, for instance, attackers have included a final payload that is designed to run only on certain systems that appear to be predesignated, according to Kaspersky.
“Upon launch, the malware retrieves the victim’s basic system information … If the response code from the C2 server is 200, the malware decrypts the payload and loads it in memory,” Kaspersky researchers write. “The final payload … was designed to run only on certain systems.”

The apparent increased specificity in targeting could indicate Lazarus Group is using previously gleaned intelligence, possibly from other hacking campaigns, to maximise its current fundraising efforts.

Research suggests that Lazarus Group delivered this highly targeted malware using Telegram, because it was executed from the Telegram messenger download folder. The goal of the campaign, aside from the obvious financial motivations, are not yet entirely clear.

SecureList:        Bloomberg:        Cyberscoop:

You Might Also Read:

N. Korea’s Hackers Stole $2b To Fund Its Missile Program:

 

« Unintended Consequences As Iran Admits It Destroyed Ukrainian Passenger Jet
Artificial & Augmented Intelligence Is Re-Making Banking »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

GFI Software

GFI Software

GFI Software works with System Administrators, IT Professionals and IT Executives to ensure that their IT infrastructures are monitored, managed, secured and compliant.

Delphix

Delphix

Delphix is the industry leader for DevOps test data management.

Deductive Labs

Deductive Labs

Deductive Labs consulting services help customers with their technology, security and automation challenges.

Dualog

Dualog

Dualog provides a maritime digital platform which ensures that services work reliably and securely onboard.

The Legal 500

The Legal 500

The Legal 500 Hall of Fame highlights, to clients, the law firm partners who are at the pinnacle of the profession. Practice areas covered include Data Protection, Privacy and Cybersecurity.

NetSecurity

NetSecurity

NetSecurity is a Brazilian company specializing in Information Security. We provide Managed Security Services (MSS), network security solutions and other specialist services.

CENSUS

CENSUS

CENSUS is a Cybersecurity services provider offering services to multiple industries worldwide such as Security Testing, Code Auditing, Secure SDLC, Vulnerability Research and Consulting Services.

Chainlink

Chainlink

Chainlink expands the capability of smart contracts by enabling access to real-world data and systems without sacrificing the security and reliability guarantees inherent to blockchain technology.

Logit.io

Logit.io

Logit.io is a log analysis & management platform that provides a scalable solution for hosting the open-source tools Elasticsearch, Logstash, and Kibana.

Vizius Group

Vizius Group

The Vizius Group are a think tank of cybersecurity consultants who understand the mechanics and business value of risk reduction.

Rayzone Group

Rayzone Group

Rayzone Group offers a wide range of Cyber Security solutions and services, providing hollistic protection suitable for both enterprises and National cyber security centers.

SignMyCode

SignMyCode

SignMyCode is a one-stop shop for trusted and authentic code signing solutions to safeguard software.

Sardine

Sardine

Sardine is a leader in financial crime prevention. Using unparalleled device intelligence and behavior biometrics, Sardine applies machine learning to detect and stop fraud before it happens.

MIND

MIND

MIND is the first-ever data security platform that puts data loss prevention and insider risk management programs on autopilot, so you can automatically identify, detect and prevent data leaks.

Halo Security

Halo Security

Halo Security is a fast, easy, and scalable external attack surface management platform that gives security leaders deep visibility into their internet-facing assets.

Infrassist Technologies

Infrassist Technologies

We're Infrassist - a trusted white label Managed IT & Professional Services partner for MSP businesses.