The North Korean hacker organization Lazarus Group has been making headlines in the cryptocurrency world with its intensified cyber attacks in September 2024. According to a recent report by cybersecurity firm Group-IB, Lazarus Group has introduced new malware strains targeting browser extensions and video conferencing applications, showcasing a new level of sophistication in their tactics.
Lazarus Group’s Browser Extension Attacks
One of the notable campaigns by Lazarus Group, called 'Contagious Interview,' initially targeted job seekers by disguising malware as job-related tasks. However, their latest move involves spreading fake video conferencing apps, such as the malicious "FCCCall," which poses as legitimate software to deceive users.
Once the fake app is installed, it deploys the BeaverTail malware, designed to steal credentials from browsers and data from cryptocurrency wallets via browser extensions. Additionally, the malware installs a Python-based backdoor, known as "InvisibleFerret," to further compromise the victim's system.
This recent campaign illustrates Lazarus Group's growing focus on targeting crypto wallet browser extensions, specifically aiming at popular platforms like MetaMask, Coinbase, BNB Chain Wallet, ton Wallet, and Exodus web3. Analysts at Group-IB have observed the group expanding its targets to include a wide range of applications, leveraging malicious JavaScript to deceive victims into downloading harmful software under various pretexts.
As part of their evolving toolkit, Lazarus Group has introduced a new suite of Python scripts named "CivetQ," indicating a shift in their tactics to target blockchain professionals through popular job search platforms. This demonstrates the group's adaptability and persistence in devising new ways to infiltrate systems and compromise user data.
Lazarus Group’s Growing Threat to crypto And Recent Exploitation of Microsoft Windows Vulnerabilities
Despite ongoing efforts to combat cyber threats, Lazarus Group remains a significant concern in the cryptocurrency sector, particularly due to its recent exploitation of Microsoft Windows vulnerabilities. The group has enhanced its methods by concealing malicious code in more intricate ways, making it increasingly challenging to detect and mitigate their attacks.
This escalation aligns with a broader trend highlighted by the Federal Bureau of Investigation (FBI), which recently issued a warning about North Korean hackers targeting employees in decentralized finance and cryptocurrency sectors through specialized social engineering campaigns. These campaigns are meticulously crafted to breach secure systems and pose a continuous threat to organizations with significant crypto holdings.
In a concerning development, Lazarus Group reportedly took advantage of a zero-day Microsoft Windows vulnerability, identified as CVE-2024-38193. This privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock allowed hackers to gain access to restricted areas of computer systems without detection.
Two researchers, Luigino Camastra and Milánek, discovered this security flaw, prompting Microsoft to address it in its monthly Patch Tuesday update in September 2024. The swift response from Microsoft demonstrates the ongoing battle against cyber threats and the importance of proactive measures to safeguard digital assets and sensitive information.
