ETHERLive
ETHERLive delivers real-time price and volume data across 16+ exchanges to users in a clear and easy-to-understand package. Users can get up-to-the-second updates for each exchange/currency pair, as well as aggregated market averages for each exchange, currency, and the market as a whole. It also provides a global converted average of all the currency pairs monitored by ETHNews, converted to USD.

---

24hr ---
--%
RESOURCES

The Basics

Learn the basics of Ethereum and various cryptocurrency technologies

Learn More

What is Ethereum?

Understand the underlying principles of the Ethereum Platform

Learn More

The Blockchain

Discover the revolutionizing technology known as the blockchain

Learn More
SUBMIT

Press Release

Submit a press release for consideration on ETHNews

Submit Press

Story / Dapp

Submit a story or DAPP to be considered for publication on ETHNews.

Submit Story

Explanation

Submit "Ethereum Explainer" content for consideration to be featured on ETHNews

Submit Topic
ETHNews Logo
---
--%
Home
News
Etherlive
Ether Price Analysis
Resources
Contact Us

Kaspersky Lab Warns North Korean Hacking Group Lazarus Is Still Active

By

Nathan

Graham

WriterETHNews.com

The group has evolved in its infiltration and anti-detection methods.

On March 26, cybersecurity watchdogs from Kaspersky Lab issued a warning that the well-known hacking group known as Lazarus, which is allegedly sponsored by the North Korean government, is alive and well and still targeting the cryptocurrency industry.

According to the folks at Kaspersky Lab, the hacking group began a new operation in November 2018, using new methods to infiltrate the computer systems of businesses in the financial sector and gain access to sensitive data. Research done by Kaspersky Lab shows the hackers customized PowerShell scripts that "communicate with malicious C2 servers and execute commands from the operator."

The scripts, dubbed "macro-weaponized document[s]," look like WordPress files and other open-source projects. Once the malware has control over a company's servers, it can "set sleep time (delay between C2 interactions), exit malware, collect basic host information, check malware status, show current malware configuration, update malware configuration, execute system shell command, [and] download [and] upload files."

These weaponized documents are specifically designed to catch the attention of cryptocurrency professionals. Kaspersky Lab believes that the hacking group is explicitly targeting Korean crypto exchanges based on the fact that the malware is delivered using a malicious "Korean Hangul Word Processor format" (HWP), which takes advantage of a known weakness in the PostScript software and is popular only among Korean users. That one of the weaponized documents was sent to a crypto exchange based in Korea is also telling.

The Lazarus group uses several methods to infect exchanges' servers. According to Kaspersky Lab, research shows that the group is most likely "running an old vulnerable instance of Internet Information Services (IIS) 6.0 on Microsoft Windows Server 2003." The group is also suspected of purchasing servers from a hosting company that it uses to "host macOS and Windows payloads." The cybersecurity watchdog believes the group only puts malware on rented servers and uses servers that are already infected to run C2 scripts. These servers have been found from China to the European Union.

The research done by Kaspersky Lab further shows that the group has adopted better methods to avoid detection. Lazarus is separately developing malware for "32-bit and 64-bit Windows" so it has more choices concerning the platform its wishes to infiltrate and the type of compiled code it wishes to use. Kaspersky Lab concludes that the same developers are using these methods to infect Apple products, which is why the group built the macOS malware.

The report ends with a warning to the larger crypto and tech industry:

"If you're part of the booming cryptocurrency or technological startup industry, exercise extra caution when dealing with new third parties or installing software on your systems. It's best to check new software with an antivirus…[a]nd never 'Enable Content' (macro scripting) in Microsoft Office documents received from new or untrusted sources."

The Lazarus group is suspected of perpetrating some of the biggest hacks ever seen in the cryptocurrency industry. The group allegedly committed the hack against Coincheck, in which approximately 500 million NEM tokens were stolen in January 2018. The group also allegedly infiltrated the Bithumb network and made off with $31.5 million worth of digital currency.

Nathan Graham

Nathan Graham lives in Sparks, Nevada, with his wife, Beth, and dog, Kyia. Nathan has a passion for new technology, grant writing, and short stories. He spends his time rafting the American River, playing video games, and writing.

ETHNews is committed to its Editorial Policy

Like what you read? Follow us on Twitter @ETHNews_ to receive the latest Kaspersky Lab, cybersecurity or other Ethereum world news.