The Crypto Desk

“Lazarus Group Strikes Crypto Users with Malicious Browser Extension Attacks”

“`html

The Lazarus Group’s Escalating Attacks on Cryptocurrency

The North Korean hacker collective known as the Lazarus Group has intensified its cyber assault on the cryptocurrency sector throughout September 2024. According to a recent report by cybersecurity firm Group-IB, they have introduced advanced malware strains specifically targeting browser extensions and video conferencing applications.

Ongoing Campaigns Against Job Seekers

As of now, the Lazarus Group continues to actively pursue job seekers as part of their nefarious activities. Researchers at Group-IB have identified updates to their toolset, which includes the introduction of a new suite of Python scripts known as CivetQ. This new arsenal enhances their capabilities for deceiving potential victims.

Targeting Browser Extensions

One of the significant methods employed by the Lazarus Group involves a campaign dubbed “Contagious Interview.” In this scheme, they exploit job seekers by enticing them to download malware disguised as work-related applications. Recently, they have expanded their focus to create a fraudulent video conferencing application identified as “FCCCall.”

This counterfeit software closely imitates legitimate video conferencing tools. When installed, it unleashes BeaverTail malware, which is designed to exfiltrate sensitive information, including browser credentials and data from cryptocurrency wallets. Additionally, it deploys a Python-based backdoor called “InvisibleFerret,” further endangering the victim’s system.

Broader Targets and Enhanced Tactics

The Lazarus Group has shifted the focus of their attacks to encompass a wide array of applications, including popular cryptocurrency wallets like MetaMask, Coinbase, the BNB Chain Wallet, TON Wallet, and Exodus Web3. By deploying malicious JavaScript, they lure victims into downloading malicious software disguised as reviews or tasks associated with their job searches.

Furthermore, Group-IB has pointed out the introduction of “CivetQ,” a new suite of Python scripts, that reflects a tactical evolution to target blockchain professionals through popular job search platforms such as WWR, Moonlight, and Upwork. Enhanced techniques, including AnyDesk for unattended access, have also been identified as part of their toolkit to maintain persistence and steal browser extension data.

Exploitation of Microsoft Windows Vulnerabilities

The threat posed by the Lazarus Group to the cryptocurrency landscape is further exacerbated by their recent exploitation of vulnerabilities within Microsoft Windows. Their methods have evolved, allowing them to obscure malicious code more effectively, making detection extremely challenging. This trend aligns with warnings from the FBI, which has highlighted North Korean hackers targeting employees within decentralized finance and cryptocurrency sectors through advanced social engineering techniques.

In a particularly concerning incident, the Lazarus Group reportedly exploited a zero-day vulnerability in Microsoft Windows, specifically a flaw in the Windows AppLocker driver that allowed them to gain kernel-level access and disable security mechanisms. This vulnerability, tracked as CVE-2024-38193, received a CVSS score of 7.8 and permits hackers to bypass security protocols undetected. This security flaw was addressed by Microsoft during its Patch Tuesday update in September 2024.

“`

Visited 5 times, 1 visit(s) today