North Korea hackers are using fake software to breach cryptocurrency wallets of MacOS users.
The entity responsible for the hacks is the same group believed to have conducted the Sony Pictures system breach. Lazarus Group, as US intelligence and cybersecurity firms, have come to identify the group as is sponsored by the North Korean Reconnaissance General Bureau (RGB).
A Chainalysis report revealed how the hackers pose as legitimate Linkedin and Telegram profiles, only to execute clean phishing schemes targeting apple devices.
It isn’t the first time that intelligence firms are linking the Lazarus Group with a cybercrime incident. Following the 2017 WannaCry ransomware attack, a Google researcher Neel Mehta posted two code samples.
One from the Lazarus Contopee Cyber Weapon and another one from the WannaCry ransomware.
Additionally, another analysis during that year linked the North Korean team of hackers to the 2014 Sony Pictures hack and the $81 million Bangladesh bank heist.
The hackers are attempting to penetrate Mac computers using fake cryptocurrency software designed by the front firm. Forbes reported how in 2019, DragonEx lost at least $7 million to the hackers.
This was after the team of cybercriminals created a fake business with a professional website and Linkedin profiles. The fake business dubbed WFC wallet a legitimate version of bitcoin trading software but one infected with malware.
Installed versions of the software would open up backdoors on Apple computers. Hence, creating a loophole for the hackers to potentially siphon private keys of cryptocurrency wallets. Moreover, the alleged software had key-logging features for phishing data such as usernames, passwords, and security questions.
The hackers then went on to contact a DragonEx senior executive officer via Telegram. They asked her whether they could do business and requested that she download the WFCWallet. Nevertheless, the executive showed no interest in the partnership but the hackers kept persisting for weeks.
Meanwhile, an unnamed employee at DragonEx employee downloaded and installed the malicious wallet on a company MacBook.
No one knows the reason for the employee’s action but as it would turn out, the MacBook happened to have private keys for exchange client accounts. This gave the hackers an important piece of data, critical to accomplish their mission.
From hence, they took control of several cryptocurrency wallets and stole Bitcoins, Litecoins and Ripple. The lazarus hackers were so thorough to not leave even a single trace of their attack.
Well, the use of front companies during crypto campaigns in North Korea was initially spotted back in 2018. However, it is until the DragonEx hack that experts noted juts how effective the companies were in closing phishing attempts.
DragonEx described the attack as one of the most elaborate phishing campaigns it had witnessed in history. While recruiting Chainalysis to aid them in investigating the hack, the firm said it was one attack “on another level of sophistication.”
Most sources including Forbes believe that the Lazarus Group has been conducting top-notch hacking schemes for at least one decade now. At the beginning of the month, Kaspersky Lab researchers identified a barrel of malware that the group was deploying through telegram.
Meanwhile, it seems that the group was luring telegram users towards direct installations instead of online target diversion.
Data from Chainalysis showing how hackers have been executing crypto exchange attacks over the decade
According to the above Chainalysis report, the amount of cryptocurrency exchange hacks surged in 2019 than in other years. A total of eleven cyber attacks valued approximately $283 million. However, the total amount of funds lost in 2019 did not surpass figures from 2018. This is because of the massive Coincheck breach in 2018 amounted to approximately $534 million.
US intelligence believes that North Korea will continue stealing money to drive the manufacture of weapons. In fact, the US treasury noted about the Lazarus group that:
“It was perpetrating cyberattacks to support illicit weapon and missile programs.”