Russian-based cybersecurity and anti-virus provider Kaspersky Lab has warned that hacker groups believed by many to be backed by North Korea are still focusing their attacks on cryptocurrency exchanges. Furthermore, the hackers are learning new tactics quickly to overcome detection.
The anti-virus company said yesterday that these attacks were mainly financially motivated, with the infamous Lazarus APT hacker group mainly targeting financial institutions, especially crypto exchanges:
“FINANCIAL GAIN REMAINS ONE OF THE MAIN GOALS FOR LAZARUS, WITH ITS TACTICS, TECHNIQUES, AND PROCEDURES CONSTANTLY EVOLVING TO AVOID DETECTION.”
The company referenced its research publication from mid-2018, which highlighted the main vehicle for scamming: using a fake company and a product with a backdoor. Lazarus APT was also known to have a new ability to target Mac OS systems, and this was especially important, as many are misled to think the OS is safer than more popular Windows products.
A new operation has since been discovered from as early as November 2018, which uses what Kaspersky Lab calls a “Macro-weaponized document” to infect users via the PowerShell script to control Windows systems and Mac OS malware for Apple users.
The firm described Lazarus as well-organized, demonstrated by the sophistication of their malware population:
“… not only have we seen them build redundancy to reserve some malware in case of in-operation hot spare replacement of ‘burnt’ (detected) samples but they also conform to specific internal standards and protocols when developing backdoors. This case is no different. They have developed custom PowerShell scripts that communicate with malicious C2 servers and execute commands from the operator. The C2 server script names are disguised as WordPress (popular blog engine) files as well as those of other popular open source projects.”
Users are recommended to be more cautious and to exercise extra caution when using or installing third-party apps and software on both Windows and Mac OS systems.