North Korean Hackers Target Crypto Firms in ‘Hidden Risk’ Campaign - Decrypt

11/08/2024 05:15
North Korean Hackers Target Crypto Firms in ‘Hidden Risk’ Campaign - Decrypt

North Korean hackers are now using phishing emails instead of their previous tactic of social media grooming, a research firm has found.

North Korean state-sponsored hackers expanded their arsenal, launching a new campaign dubbed ‘Hidden Risk’ that seeks to infiltrate crypto firms through malware disguised as legitimate documents.

In a Thursday report, hack research firm SentinelLabs connected the latest campaign to the notorious BlueNoroff threat actor, a subgroup of the infamous Lazarus Group, known for siphoning off millions to fund North Korea's nuclear and weapons programs.

The series of attacks is a calculated effort to extract funds from the fast-growing $2.6 trillion crypto industry, taking advantage of its decentralized and often under-regulated environment. 

The FBI recently issued warnings about North Korean cyber actors increasingly targeting employees of DeFi and ETF firms through tailored social engineering campaigns. 

The hackers’ latest campaign appears to be an extension of those efforts, focusing on breaching crypto exchanges and financial platforms.

Instead of their usual strategy of grooming social media victims, the hackers rely on phishing emails that appear as crypto news alerts, which began cropping up in July, according to the report.

Social media grooming typically refers to an elaborate strategy where cybercriminals build trust with targets over time by engaging with them on platforms like LinkedIn or Twitter. 

The emails, disguised as updates on Bitcoin (BTC) prices or the latest trends in decentralized finance (DeFi), lure victims into clicking on links that appear to lead to legitimate PDF documents, per the report.

But rather than opening a harmless file, unsuspecting users inadvertently download a malicious application onto their Macs.

The report found the new malware more concerning because it cleverly bypasses Apple’s built-in security protections. The hackers get their software signed with legitimate Apple Developer IDs, allowing it to evade macOS’s Gatekeeper system. 

Once installed, the malware uses hidden system files to stay undetected, even after the computer is restarted, and it communicates with remote servers controlled by the hackers.

The SentinelLabs report advises macOS users, particularly within organizations, to tighten their security measures and heighten their awareness of possible risks.

Edited by Sebastian Sinclair

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.

Read more --->