North Korean hackers have for years been using different tactics to run cyber-enabled financial heists, most recently using front companies to compromise cryptocurrency-related businesses.
And although some of the fake companies and websites rarely pass the smell test — the links on these weaponized websites don’t always work — hackers known as Lazarus Group or APT38 have been getting increasingly careful in other areas, according to new Kaspersky Lab research.
Namely, the hacking outfit has been tweaking some of its malware, delivery mechanisms, and payloads in an attempt to decrease their chances of getting caught, according to Kaspersky.
In the last two years, multiple researchers have revealed some of Lazarus Group’s latest antics relying on front companies. The hackers have been using a fake company, “JMT Trading,” to install backdoors to funnel funds to Pyongyang, multiple researchers revealed in 2019, for example. The year prior, Kaspersky uncovered that these hackers were using another fake company, “Celas Trade Pro,” to target cryptocurrency exchanges. They have also used a fake website and company called “UnionCryptoTrader.”
In an attack last year, however, some of the malware used in these previously identified campaigns was tweaked for both macOS and Windows “considerably,” according to Kaspersky.
In some cases they have developed their own macOS malware, with an authentication mechanism built in to deliver a secondary payload directly from memory. In the Windows version of the malware, Lazarus Group has updated its multi-stage infection process and changed the final payload it delivers, according to Kaspersky.
The Windows version was delivered to at least one victim last year using the fake website wfcwallet[.]com, which poses as a legitimate wallet for an obscure cryptocurrency.
Kaspersky has identified several victims in the U.K., Poland, Russia, and China. Kaspersky did not identify specific targets or clarify where the macOS and Windows malware was deployed.
Lazarus Group narrowing targets
North Korean hacking campaigns have traditionally been focused on avoiding detection and tricking victims to unwittingly help fill out the DPRK’s coffers, which have been hampered in recent years as a result of economic sanctions. But some of the campaigns Kaspersky details reveal that beyond just changing its tactics to evade detection, Lazarus Group has also been more selective in choosing victims.
In a campaign targeting Windows users, for instance, attackers have included a final payload that is designed to run only on certain systems that appear to be predesignated, according to Kaspersky.
“Upon launch, the malware retrieves the victim’s basic system information … If the response code from the C2 server is 200, the malware decrypts the payload and loads it in memory,” Kaspersky researchers write. “The final payload … was designed to run only on certain systems.”
The apparent increased specificity in targeting could indicate Lazarus Group is using previously gleaned intelligence, possibly from other hacking campaigns, to maximize its current fundraising efforts.
“It seems the actor wants to execute the final payload very carefully, and wants to evade detection by behavior-based detection solutions,” the researchers write.
Kaspersky assesses with “high confidence” that Lazarus Group delivered this highly targeted malware using Telegram, because it was executed from a user’s Telegram messenger download folder.
The goal of the campaign, aside from the obvious financial motivations, are not entirely clear, according to Kaspersky.
“[Kaspersky] can’t get hold of the final payload … but we believe its backdoor-type malware is ultimately used to control the infected victim.”