14 DAY TRIAL // North Korean hacking group Lazarus has turned to new tactics to compromise their targets, according to a recent analysis performed by Kaspersky, including malware that it distributes through Telegram.
Lazarus hackers, which are known for their attacks specifically supposed to help steal cryptocurrency, is trying to infect Windows machines by sending victims malicious payloads through Telegram.
In most of the cases, the Telegram channels are advertised on fake cryptocurrency-themes websites, which themselves are created using a free web template. These websites, which promote fake companies in the crypto business, direct users to Telegram, where they are served the infected file.
Hackers use a Windows version of UnionCryptoTrader that executes in memory, so it leaves no traces on the hard drive, other than the executable file that is stored in the Telegram folder.
Stealing cryptocurrency from compromised systems
Once it compromises a target, the malware then opens the door for additional payloads, including one targeting Internet Explorer and used to “carry out attacker’s commands,” Kaspersky explains.
According to the security company, the updated method involving Telegram has already made victims in the United Kingdom, Poland, Russia, and China, some of which are linked to cryptocurrency business entities.
One of the Telegram channels found as part of the investigation was still active, Kaspersky said, but activities appeared to be suspended.
“This Telegram address was still alive when we investigated, but there were no more activities at that time. According to the chat log, the group was created on December 17, 2018 and some accounts had already been deleted,” the firm said.
Kaspersky believes Lazarus hackers will continue to make changes to their macOS and Windows malware using more sophisticated methods, with most of their attacks to remain focused on the cryptocurrency business.
“We believe the Lazarus group’s continuous attacks for financial gain are unlikely to stop anytime soon,” Kaspersky says.