Lazarus Hacker Group Returns, Steals Cryptos Through Telegram

ransomware cyber criminal

Security researchers from Kaspersky Labs recently revealed that the North Korean hacking group, Lazarus, might be stealing cryptocurrencies via Telegram.


North Korea’s interest in crypto on the rise

North Korea is known for being one of the few most unpredictable and most concerning countries around the world. Over the years, it’s been reported that the country is trying to develop nuclear weapons, and fund a number of other initiatives that are a concern for other countries.

Its progress was seemingly stopped, or at least slowed down, due to US sanctions, but the country recently started developing an interest in cryptocurrencies. In fact, it even invited a US citizen from Singapore, Virgil Griffith, to come and educate the country about cryptocurrencies. Doing so later led to Griffith’s arrest as soon as he stepped on the US soil in late November 2019.

Now, it seems that North Koreans hackers, known as the Lazarus group, seem to be targeting cryptocurrencies in their new crypto-stealing campaign.

Kaspersky issues a warning against Lazarus

According to a recent statement published by security researchers at Kaspersky, it would appear that the Lazarus group is doubling its efforts to steal as much digital currency as possible. However, Kaspersky also found evidence that the group is using a different approach in its latest campaign.

The group has targeted cryptocurrencies before, but this time, its methodology is different. Its members are using more efficient tactics, and taking more careful steps, as the report warns. The group worked on improving its stealth while infecting systems and retrieving digital coins from them.

It allegedly does this by using a malware that executes in memory, rather than running on HDDs, which allows it to remain undetected. Furthermore, researchers believe that the group is using Telegram — a popular messaging app that created its own digital currency, Gram — due to its large crypto community.

How does the attack work?

Lazarus’ new initiative is named Operation APpleJeus Sequel, which follows the APpleJeus campaign discovered in 2018. One thing remains the same, however, and that is the fact that the campaign still uses fake crypto trading firms to lure in investors.

These fake companies even feature websites filled with links to fake Telegram trading groups where the hackers continue to deceive their soon-to-be victims. Not only that, but they use the Telegram messenger app to deliver a malicious payload which infects Microsoft Windows’ operating system.

After the system is infected, attackers can access it remotely and appropriate the cryptocurrency held inside the device. So far, researchers managed to identify a number of victims throughout Europe, but also in China. Furthermore, multiple victims were not individuals, but cryptocurrency businesses. However, it is still unknown how much the hackers have managed to steal during the new campaign.

What is known, however, is that last year, the UN reported that Korean hackers stole an estimated $2 billion by hacking financial institutions and crypto exchanges. Some of its biggest hits on crypto exchanges include the hack of Bithumb, Youbit, and a crypto cloud mining marketplace, Nicehash.

In this instance, a spokesperson from Telegram has urged users not to panic. The malware does not reflect a breach of Telegram’s security, and is no different to the type of downloadable malware that is present on malicious websites or emails.

The malware is being distributed as part of a file that is downloaded on target systems – this is no different than downloading it from a website or receiving it in an email. Users can prevent this by using proper digital hygiene: only download files from sources you trust and use a reputable antivirus program.

What do you think about Lazarus’ stealthy return to stealing cryptocurrencies? Let us know your thoughts in the comments below.


Images via Shutterstock

Exit mobile version