The Lazarus Group has intensified its attacks on the cryptocurrency industry, unveiling new malware strains that now target video conferencing applications and browser extensions, according to a recent report from cybersecurity firm Group-IB.
In September 2024, the North Korean hacker collective shifted its focus to these platforms, utilizing increasingly sophisticated malware in its campaigns. One such campaign, previously known as the “Contagious Interview,” lured job seekers into downloading malware disguised as job-related tasks. Now, the group has expanded its tactics, including the release of a fake video conferencing app called “FCCCall.” This malicious software installs the BeaverTail malware, which is engineered to steal credentials from browsers and extract data from cryptocurrency wallets via browser extensions. Additionally, it deploys a Python-based backdoor known as “InvisibleFerret,” further compromising the victim’s system.
The #Lazarus Group shows no signs of easing with their campaign targeting #jobseekers extending to the present day. Group-IB researchers found new updates to their tools and tactic – new suite of Python scripts – #CivetQ, a #Windows and #Python version of #BeaverTail pic.twitter.com/IKqU7Mk2dm
— Group-IB Threat Intelligence (@GroupIB_TI) September 4, 2024
This latest development highlights the group’s growing interest in attacking crypto wallet browser extensions, particularly those used by MetaMask, Coinbase, BNB Chain Wallet, TON Wallet, and Exodus Web3. Group-IB analysts also noted that the hackers have begun targeting a wider range of applications, using malicious JavaScript to trick users into downloading software under the guise of reviews or analysis tasks.
As part of its evolving toolkit, the Lazarus Group has introduced a new suite of Python scripts called “CivetQ.” These scripts signal a tactical shift towards targeting blockchain professionals through job search platforms like WWR, Moonlight, and Upwork. After establishing initial contact, the hackers typically move the conversation to Telegram, where they deceive victims into downloading a fake video conferencing app or a Node.js project, claiming it’s for a technical job interview.
#Lazarus exploited a flaw in the Windows AppLocker driver (appid.sys) as a zero-day to gain kernel-level access and turn off security tools.CVE-2024-21338
— blackorbird (@blackorbird) February 29, 2024
Beyond BYOVD with an Admin-to-Kernel Zero-Dayhttps://t.co/irFNz3Dntt pic.twitter.com/Hfco33UPBm
The Lazarus Group’s growing threat to the crypto sector is further compounded by its recent exploitation of Microsoft Windows vulnerabilities. The group has refined its methods, making it increasingly difficult to detect their malicious software, which is now hidden more effectively within systems. This escalation is part of a broader trend observed by the FBI, which recently warned of North Korean hackers targeting employees in the decentralized finance and cryptocurrency sectors through highly specialized social engineering campaigns. These sophisticated attacks are designed to infiltrate even the most secure systems, posing a significant ongoing risk to organizations with substantial cryptocurrency assets.
In a related incident, the Lazarus Group reportedly exploited a zero-day vulnerability in Microsoft Windows, tracked as CVE-2024-38193, with a CVSS score of 7.8. This privilege escalation flaw, discovered by researchers Luigino Camastra and Milánek, was found in the Windows Ancillary Function Driver (AFD.sys) for WinSock. The flaw allowed hackers to access restricted parts of computer systems undetected. Microsoft addressed this vulnerability in its September 2024 Patch Tuesday update.
