Skip to main content

Greedy North Korean Hackers Targeting Cryptocurrencies and Point-of-Sale Terminals



The North Korean hacking group has turned greedy.

Security researchers have uncovered a new widespread malware campaign targeting cryptocurrency users, believed to be originated from Lazarus Group, a state-sponsored hacking group linked to the North Korean government.

Active since 2009, Lazarus Group has been attributed to many high profile attacks, including Sony Pictures Hack, $81 million heists from the Bangladesh Bank, and the latest — WannaCry.

The United States has officially blamed North Korea for global WannaCry ransomware attack that infected hundreds of thousands of computers across more than 150 countries earlier this year.

In separate news, security experts have blamed Lazarus group for stealing bitcoins worth millions from the South Korean exchange Youbit, forcing it to shut down and file for bankruptcy after losing 17% of its assets.

Researchers from security firm Proofpoint have published a new report, revealing a connection between Lazarus Group and a number of multistage cyber attacks against cryptocurrency users and point-of-sale systems.
"The group has increasingly focused on financially motivated attacks and appears to be capitalizing on both the increasing interest and skyrocketing prices for cryptocurrencies," the researchers said. "The Lazarus Group’s arsenal of tools, implants, and exploits is extensive and under constant development."
After analyzing a large number of spear phishing emails with different attack vectors from multiple spear phishing campaigns, researchers discovered a new PowerShell-based reconnaissance implant from Lazarus Group arsenal, dubbed PowerRatankba.

Encryption, obfuscation, functionality, decoys, and command-and-control servers used by PowerRatankba closely resembles the original Ratankba implant developed by Lazarus Group.

The PowerRatankba implant is being spread using a massive email campaign through the following attack vectors:
  • Windows executable downloader dubbed PowerSpritz
  • Malicious Windows Shortcut (LNK) files
  • Several malicious Microsoft Compiled HTML Help (CHM) files
  • Multiple JavaScript (JS) downloaders
  • Macro-based Microsoft Office documents
  • Backdoored popular cryptocurrency applications hosted on fake websites
PowerRatankba, with at least two variants in the wild, acts as a first-stage malware that delivers a fully-featured backdoor (in this case, Gh0st RAT) only to those targeted companies, organizations, and individuals that have interest in cryptocurrency.
"During our research, we discovered that long-term sandboxing detonations of PowerRatankba not running cryptocurrency related applications were never infected with a Stage2 implant. This may indicate that the PowerRatankba operator(s) were only interested in infecting device owners with an obvious interest in various cryptocurrencies," reads the 38-page-long report [PDF] published by Proofpoint.
Once installed, Gh0st RAT allows cybercriminals to steal credentials for cryptocurrency wallets and exchanges.

It's notable that PowerRatankba and Gh0st RAT don't exploit any zero-day vulnerability; instead, Lazarus Group relies on mixed programming practices, like C&C communication over HTTP, use of Spritz encryption algorithm and the Base64-encoded custom encryptor.
"It is already well-known that Lazarus Group has targeted and successfully breached several prominent cryptocurrency companies and exchanges," the researchers say. "From these breaches, law enforcement agencies suspect that the group has amassed nearly $100 million worth of cryptocurrencies based on their value today."
Besides stealing cryptocurrencies, the group was also found infecting SoftCamp point-of-sale (POS) terminals, largely deployed in South Korea, using RatankbaPOS malware for stealing credit card data.

Since RatankbaPOS was sharing same C&C server as the PowerRatankba implant, it is believed that both the implants are linked to Lazarus Group.

The explosive growth in cryptocurrency values has motivated not only traders but also hackers to invest all their time and resources in making digital wealth.

More details about the new malware campaigns run by Lazarus Group can be found in the in-depth report [PDF], titled "North Korea Bitten by Bitcoin Bug—Financially motivated campaigns reveal a new dimension of the Lazarus Group," published by PowerPoint on Wednesday. 
 Taken from hackernews

Comments

Popular posts from this blog

NanoCore developper busted and senteced for 33 months

A hacker who was arrested and pleaded guilty last year—not because he hacked someone, but for creating and selling a remote access trojan that helped cyber criminals—has finally been sentenced to serve almost three years in prison.

Taylor Huddleston, 26, of Hot Springs, Arkansas, pleaded guilty in July 2017 to one charge of aiding and abetting computer intrusions by building and intentionally selling a remote access trojan (RAT), called NanoCore, to hackers for $25.

Huddleston was arrested in March, almost two months before the FBI raided his house in Hot Springs, Arkansas and left with his computers after 90 minutes, only to return eight weeks later with handcuffs.
This case is a rare example of the US Department of Justice (DOJ) charging someone not for actively using malware to hack victims' computers, but for developing and selling it to other cybercriminals.
Huddleston admitted to the court that he created his software knowing it would be used by other cybercrimina…

ICEMAN : Infecting Crystal Finance Millennium

Iceman gang member confirms that they are behind the introduction and spreading of malwares that have affected Crystal Finance Millennium, a Ukraine-based accounting software firm. Was this a political based attack? Read more to find out.
I’ve had a chance to speak to one of the gang member on XMMP and he confirmed that the Iceman group is behind this attack. They started by a simple web attack (SQLI which lead to web shell upload, no privilege escalation was needed) in order to gain access to the web servers of the company. He confirmed that the math was simple, the Ukrainian company had many clients in the financial and medical sector which facilitated the propagation of their malware. From the archived web page, it becomes apparent they provide accounting software, personalization of medical records, blood service and "full automation of the doctor's office" - contrary to what their company name suggests, it appears they are (mostly) focused on medical software.
The…

KillaMuvz: Undercovered british hacker

The Briton Goncalo Esteves (24), also known as KillaMuvz, has pleaded guilty to charges related to creating and running malware services. The Briton Goncalo Esteves (24) has pleaded guilty to charges related to creating and running malware services.
Such kind of platforms allows crooks to improve the development of their malicious codes. The malware created with the Esteves’ malware services would not be detected by antivirus software.
Esteves that was used the moniker ‘KillaMuvz’ is the creator of Cryptex tool commonly used by vxers to encrypt their files in an effort to avoid the detection. The first version of Cryptex was released in October 2011 and was continuously improved.
According to the NCA, Esteves has pleaded guilty to two computer misuse charges and one count of money laundering, the sentence is planned for February 12. “A cyber criminal has admitted running a product-testing service for hackers following a joint investigation by the National Crime Agency (NCA) a…