North Korean hacking collective Lazarus Group is at it again, targeting blockchain engineers with advanced data exfiltration and Trojans that can remotely execute code.
A report from researchers Elastic Security observed a new attack that originated on Discord and targeted the cryptocurrency community. Using a simple social engineering strategy, the attackers try to convince the victim to download a file called “Cross-platform Bridges.zip”, thinking it is an arbitrage bot.
Arbitrage bots are usually legitimate pieces of code that allow users to automate buying crypto on one exchange and selling it on another where the price is slightly different. The changes in prices are minuscule, but with automation and a good amount of money to get started, some people claim the bots work well. Typically, the bots can be purchased for tens of thousands of dollars.
But it’s clear the victims wouldn’t get the bot. Instead, they would get the KandyKorn malware, built for macOS and capable of a number of things, including collecting system information, displaying folder contents, downloading and executing files on the victim’s endpoint, deleting files , terminating processes, stealing files and more.
The malware was built by the infamous Lazarus Group, the researchers claim, basing these claims on code and campaign overlaps with previous cases attributed to the North Koreans.
Lazarus is a well-known group, with strong ties to the North Korean government. It was reportedly behind some of the largest crypto heists in history, including the Ronin Bridge attack, which left the protocol some $600 million short. The stolen money is being used to finance the North Korean government and its nuclear program, Western intelligence agencies claim.
This group is also known for running fake job schemes, tricking developers into downloading malware during the ‘hiring process’.