Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
BlueNoroff wants to capture the global crypto economy for $2.6 trillion.
North Korean hackers have launched a new attack called "Hidden Risk", during which they hack cryptocurrency companies using malware disguised as ordinary documents. According to SentinelLabs, the BlueNoroff group, a subgroup of the well-known Lazarus group, is behind the attack.
The goal of the hackers is to extract money from the booming crypto industry, which has already reached $2.6 trillion. Hackers take advantage of vulnerabilities and a lack of regulation in this area. Recently, the FBI warned that North Korean cybercriminals are increasingly targeting employees of decentralized finance (DeFi) and exchange-traded funds (ETFs) companies using social engineering techniques.
The new attack continues these efforts, but now the attackers are focusing on hacking crypto exchanges and financial platforms. Instead of building long-term relationships with victims through social networks, hackers have switched to phishing emails. The emails look like Bitcoin price news or DeFi updates and convince users to download fake PDF documents.
The attack begins by running a fake application that looks like a PDF file but actually contains malicious code. The application was signed using a real Apple developer account, which made it possible to bypass macOS protection. However, Apple later withdrew this signature. Once installed, the malware downloads a fake PDF and saves it on the computer to distract the user's attention, and then starts downloading malicious code.
The bulk of the malware, called "growth," is a program that collects information about the infected device and sends it to the attackers' server. The program then receives commands and executes them on the computer, giving hackers full access. Pinning on the device uses a hidden setting on the macOS system that automatically launches malware every time the system starts.
Hackers use a variety of domains that look like real sites related to cryptocurrencies and investments, which helps to deceive users. The domains were used to send phishing emails and disguise malware as legitimate documents. The Hidden Risk campaign also used kalpadvisory[.] domainscom and delphidigital[.]org, which have previously figured in the cryptocurrency industry.
Research by SentinelLabs has shown that hackers create complex networks of domains and servers to hide their activity. Cybercriminals even use automated services to send emails and bypass security filters to prevent their messages from ending up in spam.
Experts strongly recommend strengthening the protection of computers, especially for macOS users, as even applications with an official signature can be malicious.
Source
North Korean hackers have launched a new attack called "Hidden Risk", during which they hack cryptocurrency companies using malware disguised as ordinary documents. According to SentinelLabs, the BlueNoroff group, a subgroup of the well-known Lazarus group, is behind the attack.
The goal of the hackers is to extract money from the booming crypto industry, which has already reached $2.6 trillion. Hackers take advantage of vulnerabilities and a lack of regulation in this area. Recently, the FBI warned that North Korean cybercriminals are increasingly targeting employees of decentralized finance (DeFi) and exchange-traded funds (ETFs) companies using social engineering techniques.
The new attack continues these efforts, but now the attackers are focusing on hacking crypto exchanges and financial platforms. Instead of building long-term relationships with victims through social networks, hackers have switched to phishing emails. The emails look like Bitcoin price news or DeFi updates and convince users to download fake PDF documents.
The attack begins by running a fake application that looks like a PDF file but actually contains malicious code. The application was signed using a real Apple developer account, which made it possible to bypass macOS protection. However, Apple later withdrew this signature. Once installed, the malware downloads a fake PDF and saves it on the computer to distract the user's attention, and then starts downloading malicious code.
The bulk of the malware, called "growth," is a program that collects information about the infected device and sends it to the attackers' server. The program then receives commands and executes them on the computer, giving hackers full access. Pinning on the device uses a hidden setting on the macOS system that automatically launches malware every time the system starts.
Hackers use a variety of domains that look like real sites related to cryptocurrencies and investments, which helps to deceive users. The domains were used to send phishing emails and disguise malware as legitimate documents. The Hidden Risk campaign also used kalpadvisory[.] domainscom and delphidigital[.]org, which have previously figured in the cryptocurrency industry.
Research by SentinelLabs has shown that hackers create complex networks of domains and servers to hide their activity. Cybercriminals even use automated services to send emails and bypass security filters to prevent their messages from ending up in spam.
Experts strongly recommend strengthening the protection of computers, especially for macOS users, as even applications with an official signature can be malicious.
Source
