North Korean hackers are at it again, with the group “Lazarus” setting their sights on cryptocurrency exchanges. Information security firm Kaspersky Labs revealed the latest cybersecurity issue on its Securelist blog, saying that the hacking group is tricking unsuspecting users into downloading cryptocurrency-related software laced with malware.
“Lazarus has been a major threat actor in the APT arena for several years. Alongside goals like cyberespionage and cyber sabotage, the attacker has been targeting banks and other financial companies around the globe,” the company wrote. “Over the last few months, Lazarus has successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and FinTech companies.”
Kaspersky recently discovered the hack while investigating a crypto exchange attacked by Lazarus, with the help of a trojanized cryptocurrency trading application. The update had been sent to the company via email, and an unwitting employee downloaded it from a legitimate-looking website. Their computer was then infected with malware known as Fallchill, an old tool that Lazarus is now using again. Computers infected with FallChill can immediately be controlled remotely.
The malware appears to come from an application called Celas Trade Pro from Celas Limited, which looks to be the real deal. The app, which can be downloaded by any user, is an “all-in-one style” cryptocurrency trading program.
“At the end of the installation process, the installer immediately runs the Updater.exe module with the ‘CheckUpdate’ parameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all, it even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail[s], as usual,” Kasperky added.
So far, the hackers look like they want to disrupt supply chains and businesses — they’re not actually stealing crypto (yet).
“This should be a lesson to all of us, and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems,” Kaspersky warned. “Neither good-looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. Trust has to be earned and proven. Stay safe!”