North Korean group Lazarus linked to new crypto-currency hacking scheme

The campaign, which uses a modified version of an already existing malware called Applegame, uses a crypto-currency site and even documents to access the systems.

Modified Lazarus malware uses a crypto site as a front

Volexity, a cybersecurity firm, has linked Lazarus, a North Korean hacker group already sanctioned by the U.S. government, to a threat involving the use of a crypto site to infect systems to steal information and crypto-currencies from third parties.

A Dec. 1 blog post revealed that in June, Lazarus registered a domain called “bloxholder.com“, which would later be established as a company offering automatic crypto-currency trading services. Using this site as a front, Lazarus enticed users to download an application that served as a payload to deliver the malware Applegamedirected to steal private keys and other data from users’ systems.

The same strategy has been used by Lazarus before. However, this new scheme uses a technique that allows the application to “confuse and slow down“malware detection tasks.

Document macros

Volexity also found that the technique for spreading this malware to end users changed in October. The method transformed to use Office documents, specifically a spreadsheet containing macros, a kind of embedded program in the documents designed to install the Applegame malware into the computer.

The document, identified as “OKX Binance & Huobi VIP fee comparision.xls“, presents the benefits that each of the VIP programs of these exchanges are supposed to offer at its different levels. To mitigate this type of attack, it is recommended to block the execution of macros in documents, and also to scan and monitor the creation of new tasks in the OS to be aware of new unidentified tasks running in the background. However, Veloxity has not communicated on the level of reach achieved by this campaign.

Lazarus was formally indicted by the U.S. Department of Justice (DOJ) in February 2021, implicating an agent of the group linked to a North Korean intelligence organization, the General Reconnaissance Bureau (RGB). Prior to that, in March 2020, the DOJ indicted two Chinese nationals for assisting in the laundering of more than $100 million in crypto-currency linked to Lazarus’ exploits.