Lazarus Group Targets Cryptocurrency Users with Malicious Browser Extensions
Date: 2024-09-05 Author: Oliver Abernathy Categories: IN WORLD
The North Korean hacker group Lazarus stepped up its cyberattacks on the cryptocurrency market in September 2024 by introducing new malware variants that target browser extensions and video conferencing apps, according to a recent report from cybersecurity firm Group-IB.
The report describes how the group has expanded its activities to include these platforms using increasingly sophisticated malware variants.
Lazarus Group Attacks Browser Extensions
In addition to the “Infectious Interview” campaign, which tricked job seekers into downloading malware under the guise of job-related tasks, the Lazarus group has now expanded its attacks to include fake video conferencing apps.
The scheme now includes a fake video conferencing app called "FCCCall" that mimics legitimate software.
Once installed, the app drops BeaverTail malware, which is designed to steal browser credentials and cryptocurrency wallet data via browser extensions.
It then installs a Python-based backdoor called "InvisibleFerret", which further compromises the victim's system.
This latest campaign highlights their increasing focus on cryptocurrency wallets that use browser extensions, specifically MetaMask, Coinbase, BNB Chain Wallet, TON Wallet, and Exodus Web3.
Group-IB analysts note that the group is now targeting a wider range of apps, including MetaMask and Coinbase.
Using malicious JavaScript, they lure victims into downloading the software under the guise of review or analytical tasks.
Group-IB researchers have identified a new set of Python scripts, dubbed "CivetQ", as part of the group's evolving toolkit.
These scripts indicate a shift in tactics aimed at blockchain professionals via job boards like WWR, Moonlight, and Upwork.
After making initial contact, the hackers typically move the conversation to Telegram. There, they trick victims into downloading a fake video conferencing app or Node.js project, claiming it is necessary for a technical interview.
The Lazarus Group’s Growing Threat to Cryptocurrency and Recent Microsoft Windows Exploit
The Lazarus group continues to be a threat to the cryptocurrency sector, especially given their recent exploitation of Microsoft Windows vulnerabilities.
The group has improved its methods, making its malware harder to detect by hiding its malicious code in new and more sophisticated ways.
This escalation reflects broader trends noted by the Federal Bureau of Investigation (FBI), which recently warned that North Korean hackers are targeting employees in the decentralized finance and cryptocurrency industries with highly targeted social engineering campaigns.
These campaigns are designed to penetrate even the most secure systems, posing a persistent threat to organizations with significant crypto assets.
In a related development, the Lazarus group allegedly exploited a zero-day vulnerability in Microsoft Windows.
The vulnerability, tracked as CVE-2024-38193 (CVSS score: 7.8), was identified as a privilege escalation error in the Windows Ancillary Functions Driver (AFD.sys) for WinSock.
Two researchers, Luigino Camastra and Milanek, discovered the security flaw, which allowed hackers to access limited parts of computer systems without being detected.
Microsoft fixed the vulnerability as part of its monthly Patch Tuesday update in September 2024.
