The North Korean hacker group Lazarus has struck again. According to a paper published by Volexity, they have launched a campaign targeting cryptocurrency users and organizations with a variant of the AppleJeus malware. Cybercriminals use a cryptocurrency-themed website whose content comes from a legitimate site. Visitors to this fake site are tricked into downloading an application which actually installs a DLL, which later installs the AppleJeus malware on the victim’s Windows PC. The latter accesses the Internet and steals their cryptocurrencies. The malware in question is well known to cybercrime services. It would have appeared on their radars as early as 2018. The version used in this campaign, however, is different.
To read — Bitcoin: for the European Central Bank, the most famous cryptocurrency is obsolete
The phishing campaign launched by Lazarus Group reportedly started in June 2022 and spanned several months. The hackers reportedly used the “BloxHolder” domain, which copies content from the HaasOnline crypto exchange platform. The hacker site claimed to distribute a legitimate application called QTBitcoinTrader. In reality, the latter was infested with malware. The criminals then evolved their concept: rather than proposing a corrupt installer, they placed their virus in an Excel file called “OKX Binance & Huobi VIP fee comparision.xls” . The latter contained a macro that created three files on the computer of their victims.
The virus is installed through a macro placed in a Microsoft Excel file
Once installed, the malware collects the MAC address of its target, the name of the computer as well as the version of the operating system and sends them to a control center. According to the researchers, the novelty of the technique used by hackers lies in the fact that the DLLs are loaded through procedures authorized by Windowswhich prevents antiviruses from spotting their malicious action.
Lazarus Group made headlines for the first time in 2017, with the famous WannaCry which devastated thousands of PCs. He is also accused of committing the biggest cryptocurrency theft of all time. Washington offers $5 million bounty to whom can give information allowing them to stop their activities.
Source: Bleeping Computer