lazarus - Pwim.Net

North Korean macOS Malware Detected on Crypto Platform

Security researchers have encountered a new cryptocurrency-focused macOS malware, believed to be the work of a North Korean group of hackers known as Lazarus.

As reported by Bleeping Computer on Dec.4, the malicious malware is capable of retrieving payloads from remote locations and running them in memory, which is very uncommon for macOS. This feature makes it difficult to detect the malware and makes forensic analysis extremely difficult. Analyzing the software through malware and virus detection site—VirusTotal, the researchers reported that initially, only 4 antivirus engines flagged it as malicious, this number improved meekly to 5 at the time of publication.Lazarus Strike Again

Researcher Dinesh Devadoss, first encountered the malicious software on a website called—unioncrypto.vip—that advertised a trading platform for “smart cryptocurrency arbitrage”. The suspicious website did not cite any download links, but hosted a malware package under the name “UnionCryptoTrader.”

Security researcher and macOS hacker Patrick Wardle analyzed the malware found by Devadoss and determined that “there are some clear overlaps” with another malware implant that has also been attributed to Lazarus and found by Malware Hunter Team less than two months ago. At the time, the researchers detected that Lazarus had created another malware targeting Apple Macs that masquerades behind a fake cryptocurrency firm.

North Korean Headlines

North Korea has been making headlines in the blockchain and crypto news recently as, Ethereum research scientist, Virgil Griffith was arrested in Los Angeles last week and charged for allegedly aiding in the circumvention of U.S. Sanctions that have been placed on North Korea. Griffith gave a presentation in North Korea on blockchain and cryptocurrency, although his supporters have argued that all the information discussed is open information that can be accessed by anyone. Griffith was released from jail on bond and is awaiting trial.The Ethereum community has expressed its strong support for Griffith and its co-founder, Vitalik Buterin has publicly declared that he will do everything possible to clear Griffith’s name and has been sharing a petition to free the blockchain developer.

Image via Shutterstock

US Treasury Sanctions Two Men Accused of Laundering Crypto for North Korean Cyber Crime Syndicate

The US Treasury’s Office of Foreign Asset Control (OFAC) has sanctioned two men believed to be involved in laundering stolen cryptocurrency from a 2018 cyberattack against a cryptocurrency exchange.

The Chinese nationals, Jiadong Li and Yinyin Tian have been added to the OFAC’s Specially Designated Nationals List according to an update by the US Treasury earlier today. The two men are believed to be a part of the Lazarus group, a cybercrime syndicate alleged to be working in collusion with the North Korean government and OFAC has blacklisted 20 Bitcoin addresses associated with the pair.

Sanctioned Chinese Nationals

According to a press release on March 2, Tian and Li received roughly $91 million that had been stolen in an April 2018 hack of an unnamed cryptocurrency exchange from DPRK-controlled accounts and an additional $9.5 million from a hack of another exchange.

It has been deduced by OFAC that Tian and Li transferred the currency among a series of addresses, siphoning off a small portion to an alternate address with each transfer. This process of laundering the US treasury describes as a “peel chain.”

As a result of today’s action, all property and interests in property of these individuals that are in the United States or in the possession or control of US persons, including the 20 BTC accounts, must be blocked and reported to OFAC.

North Korea’s Ties to Cyber Crime

The Democratic People’s Republic of Korea (DPRK) has reportedly been training cybercriminals to target and launder stolen funds from financial institutions, with a series of attacks leading to a subsequent UN investigation last year.

On Sep. 13, 2019, the US Treasury identified the Lazarus Group, along with Bluenoroff and Andariel, as North Korean hacking entities based on their relationship to the DPRK’s primary intelligence agency, the Reconnaissance General Bureau (RCB).

As reported by Blockchain.News, the Lazarus group also made headlines in December 2019 when security researcher Dinesh Devadoss, encountered a newly designed piece of cryptocurrency-focused macOS malware software on a website called—unioncrypto.vip—that advertised a trading platform for “smart cryptocurrency arbitrage”. All evidence pointed to the work of the North Korean cyber group.

The Treasury strongly believes that North Korea’s malicious cyber activity is a key revenue generator for its totalitarian regime often targeting cryptocurrency exchanges.

The release does not name either of the exchanges hacked, however, last November the South Korean exchange Upbit was the subject of an attack with a total of 342,000 ETH, a value of $50 million at the time, stolen from the Upbit Ethereum Hot Wallet.

Image via Shutterstock

US Court Indicts Alleged Lazarus Group Members in $250 Million Crypto Exchange Theft

While blockchain is promoted as being cryptographically secured as the underlying technology for cryptocurrency, exchanges that hold them are still prone to cyberattacks.

Two Chinese nationals, Tian YinYin and Li Jiadong were sanctioned yesterday by the US Government for their alleged involvement in laundering stolen cryptocurrency from a 2018 cyberattack against a cryptocurrency exchange.

Grand Jury Indictment

Court documents released via Twitter by Seamus Hughes at Program on Extremism reveal that the United States District Court for the District of Columbia issued an indictment against the two individuals in a massive cryptocurrency theft against an unnamed exchange. The grand jury for the case was sworn in on May 7, 2019.

Tian and Li who also go by their GOT inspired online aliases, Snowsjohn and Khaleesi respectively, have been charged with stealing nearly $250 million worth of virtual assets between July 2018 and April 2019.

According to the court documents, Tian and Li both held accounts at two different unnamed cryptocurrency exchanges. The pair violated legal requirements set out by the Financial Crimes Enforcement Network (FinCEN) by converting virtual currency into fiat currency in exchange for fees; the pair effectively operated as an unlicensed money transmitting business.

Tian and Li transferred over $100 million worth of Bitcoin between each other’s US accounts and China accounts engaging in a form of cryptocurrency laundering know as a “peel chain” before the hack occurred. Other forms of laundering mainly consisted of converting Bitcoin to USD, Chinese Yuan, and iTunes gift cards.

Tian and Li Linked to Lazarus Group

As announced by the US Treasury on March 2, Tian and Li have been identified for their connection to the North Korean state-sponsored cyber-crime syndicate known as the Lazarus group.

The court documents do not name either of the exchanges hacked, however, last November the South Korean exchange Upbit was the subject of an attack with a total of 342,000 ETH, a value of $50 million at the time, stolen from the Upbit Ethereum Hot Wallet.

Image via Shutterstock

US Intelligence Reveals Extent of North Korea’s “Hidden Cobra” Crypto-Dependent Cyber Crimes

In an effort to combat North Korea’s rampant crypto-dependent and money generating cyber crime campaign, the United States government published a list outlining the sanctioned state’s attacks dating back to 2017—as well as guidance on countermeasures.

The new warning released on April 15 by the US Treasury, Homeland Security, and the FBI advocated that it was imperative to stop North Korea’s illicit cyber activities and subsequent money stream to obstruct the authoritarian regime’s plan to develop weapons of mass destruction.

Per the release, “ The DPRK’s malicious cyber activities threaten the United States and the broader international community and, in particular, pose a significant threat to the integrity and stability of the international financial system. Under the pressure of robust U.S. and UN sanctions, the DPRK has increasingly relied on illicit activities – including cybercrime – to generate revenue for its weapons of mass destruction and ballistic missile programs.”

The countermeasures guidance includes the implementation of a tough anti-money-laundering framework for digital currencies and the expulsion of North Korean IT workers, as well as stern advice to follow best cyber practices, and communicate with law enforcement.

Hidden Cobra

The US government is calling the North Korean cyber crime campaign by the code name “Hidden Cobra” and believes the campaign began as far back as May 2017 with the WannaCry and Malware attacks which infiltrated hundreds of thousands of computers, holding data hostage until a ransom in Bitcoin was paid. These hacks have been attributed to the DPRK by governments around the world, not only the United States.

The US agencies cite evidence that Hidden Cobra’s attackers have grown more sophisticated and diverse in their cyber campaigns with the majority of their plots highly dependent on stealing digital currency.

As stated by the US agencies, “The DPRK also uses cyber capabilities to steal from financial institutions and has demonstrated a pattern of disruptive and harmful cyber activity that is wholly inconsistent,”—with expectations of international cyber conduct.

North Korea has rebutted the allegations of stealing almost $2 billion dollars in fiat and crypto, by calling the accusations “a sort of a nasty game.”

The Case of Virgil Griffiths

US officials have adopted a zero-tolerance policy towards anyone even appearing to assist the North Korean crypto operations.

Virgil Griffith, the Ethereum research scientist was arrested in Los Angeles last December and charged for allegedly aiding in the circumvention of US Sanctions that have been placed on the Democratic People’s Republic of North Korea.

According to the official complaint, Griffith had explicitly asked and been denied permission to travel to North Korea in order to give the presentation on blockchain technology. Specifically, the charges cited that Griffith had been aiding the development of a crypto exchange between North Korea and South Korea and was fully aware this would violate US and UN sanctions against the DPRK.

Image via Shutterstock

Cybersecurity Firm Kaspersky Warns of New Ransomware Devised by Notorious North Korean Ransomware Group

Multinational cybersecurity provider Kaspersky has announced that the notorious North Korean crypto criminal group, Lazarus, is planning on releasing a new ransomware.

Kaspersky Investigates

The new threat, dubbed VHD, is designated to target internal networks of companies in the economic sector. In regards to why the ransomware group often resorted to working in solo ops, Kaspersky researchers presented their hypothesis:

“We can only speculate about the reason why they are now running solo ops: maybe they find it difficult to interact with the cybercrime underworld, or maybe they felt they could no longer afford to share their profits with third parties.”

Phishing For Crypto And Sensitive Data

The infamous North Korean ransomware group Lazarus have been reported to have multiple tricks up their sleeves. In fact, according to cybersecurity Cyfirma, Lazarus is preparing a huge phishing campaign, that is meant to target at least 6 nations and over 5 million businesses and individual investors.

The report of the devious scheme was released in June. For the time being, there are no signs of the phishing campaign unfolding yet, as it appears that the North Korean ransomware group have not yet deployed the mass phishing campaign.

However, as the hacking group have kept their digital heists alive in 2020, Cyfirma thought it best to warn major companies for prevention purposes.

Lazarus’ Notoriety Precedes Them

In the past, the North Korean ransomware group, operating under “Lazarus,” have made quite an impression on cybersecurity firms, having accumulated over $571 million in stolen cryptocurrencies since 2017. Lazarus group is notorious for hitting up cryptocurrency exchanges and have kept up their act of ransoming victims for cryptocurrencies, amid the coronavirus pandemic.

2019 Digital Heist

Last year, as reported by Chainalysis, Lazarus pulled off a digital heist that amounted to $7 million in various cryptocurrencies.

The ransomware group hit up DragonEx crypto exchange, a Singapore-based money exchange. In order to pull off their crypto scam, Lazarus created a fake trading bot website that was offered to employees of the DragonEx exchange.

The North Korean criminal organization used a sophisticated phishing attack, where a real website and social media pertaining to it were linked to a fake company called “WFC Proof.” The non-existent company was said to have created Worldbit-bot, a trading robot, that was then offered to DragonEx employees.

Finally, the malicious software was installed on a computer that contained the private key of the DragonEx hot wallet, which enabled the North Korean-based group to steal cryptocurrencies from the Singapore exchange.

Lazarus Group: Anonymous or Not?

Lazarus’ malicious cyberattacks date all the way back to 2017. Though cybersecurity has not managed to completely arrest and stop the hacking group, identities associated with the North Korean hacking ring have been uncovered.

Earlier this year, two Chinese citizens by the name of Tian YinYin and Li Jiadong were identified by the US treasury for their connection with Lazarus group. They were sanctioned in March by US authorities for their alleged involvement in laundering stolen cryptocurrencies from a 2018 cyberattack against a cryptocurrency exchange.

While blockchain is still promoted as being cryptographically secured and the underlying technology for cryptocurrencies, exchanges that hold them are still prone to cyber-attacks, just as traditional markets are not immune to heists and money laundering schemes.

Korea: Training Military or Cybercriminals?

Preventing financial theft has been an ongoing issue for the longest of times.

With a series of money-related attacks leading to a subsequent UN investigation last year, there is an ongoing hypothetical circulating around the law enforcement industry that the Democratic People’s Republic of Korea (DPRK) may be heavily involved in coordinating cyberattacks, as they have reportedly been training cybercriminals to target and launder stolen funds from financial institutions.