Lazarus Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 08 Nov 2023 13:03:20 +0000 en-US hourly 1 https://wordpress.org/?v=74917 200474804 North Korean Hackers Force US, Japan & South Korea Consultations https://gridinsoft.com/blogs/north-korean-hackers-us-japan-south-korea/ https://gridinsoft.com/blogs/north-korean-hackers-us-japan-south-korea/#respond Wed, 08 Nov 2023 12:54:31 +0000 https://gridinsoft.com/blogs/?p=17530 Increased activity by North Korean state hackers forced South Korea, the United States and Japan to create a special advisory group to coordinate cybersecurity efforts. The idea of consolidating efforts, apparently, was discussed back in August, at the international summit at Camp David. The decision was made last week following negotiations in Washington between Anne… Continue reading North Korean Hackers Force US, Japan & South Korea Consultations

The post North Korean Hackers Force US, Japan & South Korea Consultations appeared first on Gridinsoft Blog.

]]>
Increased activity by North Korean state hackers forced South Korea, the United States and Japan to create a special advisory group to coordinate cybersecurity efforts. The idea of consolidating efforts, apparently, was discussed back in August, at the international summit at Camp David.

The decision was made last week following negotiations in Washington between Anne Neuberger, U.S. deputy national security adviser for cyber and emerging technologies, and her South Korean and Japanese colleagues.

It is aimed at strengthening the three countries’ effective response capabilities against global cyber threats, including jointly countering North Korea’s cyber activities that are a key source of funding for its nuclear and WMD programs.the office of South Korean President.

As part of the initiative, regular quarterly meetings will be held in a new format.

North Korean hackers are state sponsored

North Korea is often accused of cyberattacks aimed at financing its missile and nuclear programs. As noted in a recent UN report, in 2022, hackers working for the DPRK were particularly likely to attack foreign companies to steal cryptocurrency. Thanks to high-tech methods, record amounts were stolen compared to previous years.

The UN said most of the cyberattacks its researchers looked at were carried out by groups controlled by North Korea’s top spy agency. These groups include Kimsuky, Lazarus Group and Andariel, and are monitored by the cybersecurity industry in the US, Europe and Asia.

These actors continued to illicitly target victims to generate revenue and solicit information of value to the DPRK including its weapons programs.the UN report.

For example, the media reported that the FBI has officially linked the hack of the Harmony Horizon cross-chain bridge to the Lazarus group. The robbery, which took place at summer 2022, resulted in theft of $100 million worth of cryptocurrency assets.

Consultations on countering North Korean hackers
Senior security advisers In Seong-hwan (South Korea), Anne Neuberger (US) and Keiichi Ichikawa (Japan) in Washington DC (Source: Presidential Office)

North Korea’s activity in the cyber threats has been growing over recent years

Aside from country-specific cyberattacks, North Korean hackers also launch supply chain attacks. For example, in April we reported that a group linked to the Asian dictatorship authorities attacked the supply chain of the company 3CX, which caused a number of other attacks on supply chains.

According to experts, the UNC4736 hackers were associated with the financially motivated hacker group Lazarus from North Korea.

We have determined that UNC4736 is associated with the same North Korean operators based on analysis of the Trojanized X_TRADER application. This is the first time we have found concrete evidence that an attack on a software supply chain led to another attack on another software supply chain.Mandiant researchers.

We also talked about the hunt of North Korean cybercriminals for IT specialists. Attackers have sought to infect researchers’ home systems and software with malware aiming to infiltrate the networks of companies for which their targets work.

Government groups for this spy company switched from phishing emails to using fake LinkedIn accounts allegedly belonging to HR. These accounts carefully imitate the identities of real people in order to deceive victims and increase the chances of an attack being successful.

Having contacted the victim and made her an “interesting offer” for a job, the attackers try to transfer the conversation to WhatsApp, and then use either the messenger itself or email to deliver a backdoor, which the researchers called Plankwalk, as well as other malware.

North Korea as part of a new axis of evil

The North Korean regime is dangerous not only because it sponsors cyber attacks on Western enterprises and companies, and not only because of repression against its citizens and the testing of new missiles that threaten the democratic countries of the Pacific region.

Recently, the Russian and North Korean dictatorships agreed to supply Korean weapons for use during the Russian invasion of Ukraine. CNN reported that more than a million artillery shells were transferred to Russia as part of this agreement.

Therefore, news about the consolidation of efforts in the fight against regimes that carry out certain actions that violate human rights can only be welcomed. Cyberspace has become a battlefield not only against crime – the confrontation in cyberspace is already taking place at the interstate level.

North Korean Hackers Force US, Japan & South Korea Consultations

The post North Korean Hackers Force US, Japan & South Korea Consultations appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/north-korean-hackers-us-japan-south-korea/feed/ 0 17530
Lazarus Hackers Attack MacOS Users by impersonating Crypto[.]com https://gridinsoft.com/blogs/lazarus-attack-macos-users/ https://gridinsoft.com/blogs/lazarus-attack-macos-users/#respond Thu, 29 Sep 2022 09:17:38 +0000 https://gridinsoft.com/blogs/?p=10798 Sentinel One has discovered that the North Korean hacker group Lazarus is targeting macOS users selectively. Attackers are using fake Crypto[.]com jobs to hack developers and digital artists in the cryptocurrency community. It is assumed that in the long term, attackers aim to steal the digital assets and cryptocurrencies of their victims. By the way,… Continue reading Lazarus Hackers Attack MacOS Users by impersonating Crypto[.]com

The post Lazarus Hackers Attack MacOS Users by impersonating Crypto[.]com appeared first on Gridinsoft Blog.

]]>
Sentinel One has discovered that the North Korean hacker group Lazarus is targeting macOS users selectively. Attackers are using fake Crypto[.]com jobs to hack developers and digital artists in the cryptocurrency community. It is assumed that in the long term, attackers aim to steal the digital assets and cryptocurrencies of their victims.

By the way, we said that the North Korean Group Lazarus Attacks Energy Companies.

Let me also remind you that Crypto.com is one of the world’s leading cryptocurrency exchange platforms. The company gained mainstream attention in 2021 when it acquired the Los Angeles Staples Center and renamed it the Crypto.com Arena, followed by a series of television commercials.

Sentinel One analysts write that the campaign, which targets people working in the cryptocurrency industry, has been carried out by hackers since 2020. Recently, it was noticed that the attackers exploit the brand of another well-known cryptocurrency exchange, Coinbase, in their attacks, and now they have switched to Crypto.com and are attacking macOS users.

Typically, Lazarus will reach out to their targets via LinkedIn, sending them direct messages informing them of an interesting and high-paying job that Crypto.com is allegedly offering them.

Lazarus attack macOS users

As with previous campaigns targeting macOS, the hackers send victims a binary file disguised as a PDF that contains a 26-page PDF file named Crypto.com_Job_Opportunities_2022_confidential.pdf and information about jobs on Crypto.com.

In the background, this Mach-O binary creates a folder (WifiPreference) in the Library directory and deploys the second and third stage files. The second stage is the WifiAnalyticsServ.app file, which is fixed in the system (wifanalyticsagent) and eventually connects to the control server at market.contradecapital[.]com, from where it receives the final WiFiCloudWidget payload.

Because the attackers’ binaries are signed, they can bypass Apple’s gatekeeper checks and run as trusted software.

Unfortunately, the researchers were unable to study the group’s final payload, as the hackers’ C&C server was already down at the time of the investigation. However, they note that there are some indications that this operation is short-lived, which is quite typical of Lazarus phishing campaigns.

The hackers made no effort to encrypt or obfuscate the binaries, which likely indicates that this campaign is short-lived or that there is no fear of being detected.the analysts said.

The post Lazarus Hackers Attack MacOS Users by impersonating Crypto[.]com appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/lazarus-attack-macos-users/feed/ 0 10798
North Korean Group Lazarus Attacks Energy Companies https://gridinsoft.com/blogs/north-korean-group-lazarus/ https://gridinsoft.com/blogs/north-korean-group-lazarus/#comments Mon, 12 Sep 2022 08:15:33 +0000 https://gridinsoft.com/blogs/?p=10521 A new malware campaign by the North Korean hacker group Lazarus has been discovered, which was active from February to July 2022. This time the hackers have targeted energy suppliers around the world, including companies in the US, Canada and Japan. Let me remind you that we also reported that Microsoft accused Russia and North… Continue reading North Korean Group Lazarus Attacks Energy Companies

The post North Korean Group Lazarus Attacks Energy Companies appeared first on Gridinsoft Blog.

]]>
A new malware campaign by the North Korean hacker group Lazarus has been discovered, which was active from February to July 2022. This time the hackers have targeted energy suppliers around the world, including companies in the US, Canada and Japan.

Let me remind you that we also reported that Microsoft accused Russia and North Korea of attacks on pharmaceutical companies, and also that Cybersecurity researchers discovered the Chinese hack group Earth Lusca.

Cisco Talos experts talk about the new campaign, according to which, the goal of Lazarus was “to infiltrate organizations around the world to establish long-term access and subsequent theft of data of interest to the enemy state.”

Whereas earlier Lazarus attacks resulted in the use of Preft (Dtrack) and NukeSped (Manuscrypt) malware, the new campaign was notable for the use of a number of other malware: the VSingle HTTP bot, which executes arbitrary code on a remote network; YamaBot backdoor written in Go; as well as the previously unknown Remote Access Trojan (RAT) MagicRAT, which has been used to find and steal data from infected devices, but can also be used to launch additional payloads on infected systems.

It is worth saying that Symantec and AhnLab analysts have already written about this activity of Lazarus, but the latest Cisco report turned out to be more in-depth and reveals much more details about the activities of hackers.

It is known that Lazarus obtained initial access to the corporate networks of its victims by exploiting vulnerabilities in VMware products (for example, Log4Shell). These problems have been used to run shellcode, create reverse shells, and execute arbitrary commands on a compromised machine.

Although the same tactics were used in the attacks, the resulting malware deployed was different from each other, indicating a wide variety of implants at the disposal of Lazarus.the researchers say.

North Korean Group Lazarus

Thus, the use of VSingle malware in one of the attacks allowed the attackers to perform various actions, including reconnaissance, data theft, and manual installation of backdoors, which gave them a clear understanding of the victim’s environment. In essence, this malware sets the stage for credential theft, creates new admin users on the host, and installs a reverse shell to communicate with the command and control server and download plugins that extend its functionality.

North Korean Group Lazarus

In another case, after gaining initial access and conducting reconnaissance, the hackers used not only VSingle, but also MagicRAT, to which the researchers paid special attention and devoted a separate post.

The Trojan is able to fix itself in the victim’s system by executing hard-coded commands and creating scheduled tasks, conduct reconnaissance and extract additional malware from the command-and-control server (such as TigerRAT).

In the third case, Lazarus deployed the YamaBot malware to the affected systems, written in Go and having standard RAT features:

  1. listing files and directories;
  2. transferring information about processes to the control server;
  3. downloading remote files;
  4. execution of arbitrary commands and self-destruction.

It is also noted that the group often used not only its own tools, but also collected credentials in the victim’s networks using such well-known solutions as Mimikatz and Procdump, disabled anti-virus components and Active Directory services, and also took measures to cover up traces after backdoors were activated.

The post North Korean Group Lazarus Attacks Energy Companies appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/north-korean-group-lazarus/feed/ 1 10521