The Lazarus Group, a North Korean hacker organization, has intensified its cyber attacks on the cryptocurrency market by introducing new malware strains targeting browser extensions and video conferencing applications in September 2024. According to a report by cybersecurity firm Group-IB, the group has expanded its focus to include these platforms, using increasingly sophisticated malware variants. These attacks include fake video conferencing apps that deploy malware designed to exfiltrate credentials from browsers and data from cryptocurrency wallets via browser extensions. The group’s latest campaign targets popular crypto wallet browser extensions such as MetaMask, Coinbase, BNB Chain Wallet, TON Wallet, and Exodus Web3.
Additionally, analysts at Group-IB have identified a new suite of Python scripts called “CivetQ” as part of the Lazarus Group’s evolving toolkit. These scripts indicate a shift in tactics to target blockchain professionals through job search platforms like WWR, Moonlight, and Upwork. The hackers lure victims into downloading software under the pretense of reviews or analysis tasks and then switch the conversation to Telegram to further exploit them. They trick victims into downloading fake video conferencing apps or Node.js projects, claiming they are for technical job interviews. The Lazarus Group has also introduced new techniques such as establishing persistence, stealing browser extension data like Authenticator and password managers, and using Telegram as an additional data exfiltration method.
The Lazarus Group’s growing threat to the crypto sector has been highlighted by its recent exploitation of Microsoft Windows vulnerabilities. The group has improved its methods to make it harder to detect harmful software by hiding its malicious code in newer and more sophisticated ways. The Federal Bureau of Investigation (FBI) has warned that North Korean hackers, including the Lazarus Group, are targeting employees in decentralized finance and cryptocurrency sectors with highly specialized social engineering campaigns. These campaigns are designed to penetrate even the most secure systems, posing an ongoing threat to organizations with substantial crypto assets.
Recently, the Lazarus Group allegedly exploited a zero-day Microsoft Windows vulnerability identified as CVE-2024-38193 (CVSS score: 7.8), which was a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock. The vulnerability allowed hackers to access restricted parts of computer systems without being detected. Microsoft addressed the flaw as part of its monthly Patch Tuesday update in September 2024. The group’s use of increasingly sophisticated methods and the exploitation of vulnerabilities in popular software highlight the need for heightened cybersecurity measures in the cryptocurrency sector to protect against such attacks.
Overall, the Lazarus Group’s cyber attacks on the cryptocurrency market have escalated in September 2024, targeting browser extensions and video conferencing applications with new malware strains. The group has expanded its tactics to include fake video conferencing apps that deploy malware to steal credentials from browsers and cryptocurrency wallets. By targeting popular crypto wallet browser extensions and utilizing new techniques like establishing persistence and stealing browser extension data, the Lazarus Group poses a significant threat to organizations in the cryptocurrency sector. It is essential for industry professionals to remain vigilant and implement robust cybersecurity measures to protect against such malicious activities.
