The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: lazarus group

North Korea's Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs

North Korea's Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs

September 27, 2022Ravie Lakshmanan
The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple's macOS operating system. In the latest variant of the campaign observed by cybersecurity company SentinelOne last week, decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto[.]com have been used to mount the attacks. The latest disclosure builds on previous findings from Slovak cybersecurity firm ESET in August, which  delved  into a similar phony job posting for the Coinbase cryptocurrency exchange platform. Both these fake job advertisements are just the latest in a series of attacks dubbed  Operation In(ter)ception , which, in turn, is a constituent of a broader campaign tracked under the name  Operation Dream Job . Although the exact distribution vector for the malware remains unknown, it's suspected that potential targets are singled out via direct messages on the business networking site Linke
North Korean Lazarus Hackers Targeting Energy Providers Around the World

North Korean Lazarus Hackers Targeting Energy Providers Around the World

September 08, 2022Ravie Lakshmanan
A malicious campaign mounted by the North Korea-linked Lazarus Group  targeted energy providers around the world, including those based in the United States, Canada, and Japan, between February and July 2022. "The campaign is meant to infiltrate organizations around the world for establishing long-term access and subsequently exfiltrating data of interest to the adversary's nation-state," Cisco Talos  said  in a report shared with The Hacker News. Some elements of the espionage attacks have already entered public domain, courtesy of prior reports from Broadcom-owned  Symantec  and  AhnLab  earlier this April and May. Symantec attributed the operation to a group referred to as Stonefly, a Lazarus subgroup which is better known as Andariel, Guardian of Peace, OperationTroy, and Silent Chollima. While these attacks previously led to the instrumentation of Preft (aka Dtrack) and NukeSped (aka Manuscrypt) implants, the latest attack wave is notable for employing two other pieces of mal
North Korea Hackers Spotted Targeting Job Seekers with macOS Malware

North Korea Hackers Spotted Targeting Job Seekers with macOS Malware

August 17, 2022Ravie Lakshmanan
The North Korea-backed Lazarus Group has been observed targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets. Slovak cybersecurity firm ESET linked it to a campaign dubbed " Operation In(ter)ception " that was first disclosed in June 2020 and involved using social engineering tactics to trick employees working in the aerospace and military sectors into opening decoy job offer documents. The latest attack is no different in that a job description for the Coinbase cryptocurrency exchange platform was used as a launchpad to drop a signed Mach-O executable. ESET's analysis comes from a sample of the binary that was uploaded to VirusTotal from Brazil on August 11, 2022. "Malware is compiled for both Intel and Apple Silicon," the company  said  in a series of tweets. "It drops three files: a decoy PDF document ' Coinbase_online_careers_2022_07.pdf ', a bundle  'FinderFontsUpdater.app ,' and a downloa
North Korean Hackers Distributing Trojanized DeFi Wallet Apps to Steal Victims' Crypto

North Korean Hackers Distributing Trojanized DeFi Wallet Apps to Steal Victims' Crypto

April 01, 2022Ravie Lakshmanan
The North Korean state-backed hacking crew, otherwise known as the  Lazarus Group , has been attributed to yet another financially motivated campaign that leverages a trojanized decentralized finance (DeFi) wallet app to distribute a fully-featured backdoor onto compromised Windows systems. The app, which is equipped with functionalities to save and manage a cryptocurrency wallet, is also designed to trigger the launch of the implant that can take control of the infected host. Russian cybersecurity firm Kaspersky  said  it first encountered the rogue application in mid-December 2021. The infection scheme initiated by the app also results in the deployment of the installer for a legitimate application, which gets overwritten with a trojanized version in an effort to cover its tracks. That said, the initial access avenue is unclear, although it's suspected to be a case of social engineering. The spawned malware, which masquerades as Google's Chrome web browser, subsequently
Latest Report Uncovers Supply Chain Attacks by North Korean Hackers

Latest Report Uncovers Supply Chain Attacks by North Korean Hackers

October 27, 2021Ravie Lakshmanan
Lazarus Group, the advanced persistent threat (APT) group attributed to the North Korean government, has been observed waging two separate supply chain attack campaigns as a means to gain a foothold into corporate networks and target a wide range of downstream entities. The latest intelligence-gathering operation involved the use of MATA malware framework as well as backdoors dubbed  BLINDINGCAN  and  COPPERHEDGE  to attack the defense industry, an IT asset monitoring solution vendor based in Latvia, and a think tank located in South Korea, according to a new  Q3 2021 APT Trends report  published by Kaspersky. In one instance, the supply-chain attack originated from an infection chain that stemmed from legitimate South Korean security software running a malicious payload, leading to the deployment of the BLINDINGCAN and COPPERHEDGE malware on the think tank's network in June 2021. The other attack on the Latvian company in May is an "atypical victim" for Lazarus, the
North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware

North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware

February 26, 2021Ravie Lakshmanan
A prolific North Korean state-sponsored hacking group has been tied to a new ongoing espionage campaign aimed at exfiltrating sensitive information from organizations in the defense industry. Attributing the attacks with high confidence to the  Lazarus Group , the new findings from Kaspersky signal an expansion of the APT actor's tactics by going beyond the usual gamut of financially-motivated crimes to fund the cash-strapped regime.  This broadening of its strategic interests happened in early 2020 by leveraging a tool called ThreatNeedle , researchers Vyacheslav Kopeytsev and Seongsu Park said in a Thursday write-up. At a high level, the campaign takes advantage of a multi-step approach that begins with a carefully crafted spear-phishing attack leading eventually to the attackers gaining remote control over the devices. ThreatNeedle is delivered to targets via COVID-themed emails with malicious Microsoft Word attachments as initial infection vectors that, when opened, run a
Trojanized Security Software Hits South Korea Users in Supply-Chain Attack

Trojanized Security Software Hits South Korea Users in Supply-Chain Attack

November 16, 2020Ravie Lakshmanan
Cybersecurity researchers took the wraps off a novel supply chain attack in South Korea that abuses legitimate security software and stolen digital certificates to distribute remote administration tools (RATs) on target systems. Attributing the operation to the Lazarus Group, also known as Hidden Cobra , Slovak internet security company ESET said the state-sponsored threat actor leveraged the mandatory requirement that internet users in the country must install additional security software in order to avail Internet banking and essential government services. The attack, while limited in scope, exploits WIZVERA VeraPort, which is billed as a "program designed to integrate and manage internet banking-related installation programs," such as digital certificates issued by the banks to individuals and businesses to secure all transactions and process payments. The development is the latest in a long history of espionage attacks against victims in South Korea, including Opera
Hackers Target Defense Contractors' Employees By Posing as Recruiters

Hackers Target Defense Contractors' Employees By Posing as Recruiters

August 21, 2020Mohit Kumar
The United States Cybersecurity and Infrastructure Security Agency (CISA) has published a new report warning companies about a new in-the-wild malware that North Korean hackers are reportedly using to spy on key employees at government contracting companies. Dubbed ' BLINDINGCAN ,' the advanced remote access trojan acts as a backdoor when installed on compromised computers. According to the FBI and CISA, North Korean state-sponsored hackers Lazarus Group , also known as Hidden Cobra , are spreading BLINDINGCAN to "gather intelligence surrounding key military and energy technologies." To achieve this, attackers first identify high-value targets, perform extensive research on their social and professional networks, and then pose as recruiters to send malicious documents loaded with the malware, masquerading as job advertisements and offerings. However, such employment scams and social engineering strategies are not new and were recently spotted being used in
U.S. Offers Rewards up to $5 Million for Information on North Korean Hackers

U.S. Offers Rewards up to $5 Million for Information on North Korean Hackers

April 16, 2020Mohit Kumar
The United States agencies today released a joint advisory warning the world about the 'significant cyber threat' posed by North Korean state-sponsored hackers to the global banking and financial institutions. Besides a summary of recent cyberattacks attributed to North Korean hackers, the advisory—issued by U.S. Departments of State, the Treasury, and Homeland Security, and the FBI—also contains a comprehensive guide intends to help the international community, industries, and other governments defend against North Korea's illicit activities. "In particular, the United States is deeply concerned about North Korea's malicious cyber activities, which the U.S. government refers to as HIDDEN COBRA. The DPRK has the capability to conduct disruptive or destructive cyber activities affecting U.S. critical infrastructure," the advisory says . "The DPRK also uses cyber capabilities to steal from financial institutions, and has demonstrated a pattern of d
2 Chinese Charged with Laundering $100 Million for North Korean Hackers

2 Chinese Charged with Laundering $100 Million for North Korean Hackers

March 03, 2020Ravie Lakshmanan
Two Chinese nationals have been charged by the US Department of Justice (DoJ) and sanctioned by the US Treasury for allegedly laundering $100 million worth of virtual currency using prepaid Apple iTunes gift cards. According to a newly unsealed court document , the illicit funds originated from a $250 million haul stolen from two different unnamed cryptocurrency exchanges that were perpetrated by Lazarus Group , a cybercrime group with ties with the North Korean government. The two individuals in question — Tian Yinyin (田寅寅)  and Li Jiadong (李家东) — were both charged with operating an unlicensed money transmitting business and money laundering conspiracy. Prosecutors said the defendants worked on behalf of the threat actors based in North Korea to allegedly launder over a $100 million worth of stolen cryptocurrency to obscure transactions, adding the hacking of cryptocurrency exchanges posed a severe threat to the security of the global financial system. It's worth notin
Hackers Target Indian Nuclear Power Plant – Everything We Know So Far

Hackers Target Indian Nuclear Power Plant – Everything We Know So Far

October 31, 2019Mohit Kumar
A story has been making the rounds on the Internet since yesterday about a cyber attack on an Indian nuclear power plant. Due to some experts commentary on social media even after lack of information about the event and overreactions by many, the incident received factually incorrect coverage widely suggesting a piece of malware has compromised "mission-critical systems" at the Kudankulam Nuclear Power Plant . Relax! That's not what happened. The attack merely infected a system that was not connected to any critical controls in the nuclear facility. Here we have shared a timeline of the events with brief information on everything we know so far about the cyberattack at Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu. From where this news came? The story started when Indian security researcher Pukhraj Singh tweeted that he informed Indian authorities a few months ago about an information-stealing malware, dubbed Dtrack, which successfully hit "extre
Researchers Link 'Sharpshooter' Cyber Attacks to North Korean Hackers

Researchers Link 'Sharpshooter' Cyber Attacks to North Korean Hackers

March 04, 2019Mohit Kumar
Security researchers have finally, with "high confidence," linked a previously discovered global cyber espionage campaign targeting critical infrastructure around the world to a North Korean APT hacking group. Thanks to the new evidence collected by researchers after analyzing a command-and-control (C2) server involved in the espionage campaign and seized by law enforcement. Dubbed Operation Sharpshooter , the cyber espionage campaign targeting government, defense, nuclear, energy, and financial organizations around the world was initially uncovered in December 2018 by security researchers at McAfee. At that time, even after finding numerous technical links to the North Korean Lazarus hacking group , researchers were not able to immediately attribute the campaign due to a potential for false flags. Researchers Analysed Sharpshooter's Command Server Now, according to a press release shared with The Hacker News, a recent analysis of the seized code and command
FBI Mapping 'Joanap Malware' Victims to Disrupt the North Korean Botnet

FBI Mapping 'Joanap Malware' Victims to Disrupt the North Korean Botnet

January 31, 2019Swati Khandelwal
The United States Department of Justice (DoJ) announced Wednesday its effort to "map and further disrupt" a botnet tied to North Korea that has infected numerous Microsoft Windows computers across the globe over the last decade. Dubbed Joanap , the botnet is believed to be part of " Hidden Cobra "—an Advanced Persistent Threat (APT) actors' group often known as Lazarus Group and Guardians of Peace and backed by the North Korean government. Hidden Cobra is the same hacking group that has been allegedly associated with the WannaCry ransomware menace in 2016, the SWIFT Banking attack in 2016, as well as Sony Motion Pictures hack in 2014. Dates back to 2009, Joanap is a remote access tool (RAT) that lands on a victim's system with the help an SMB worm called Brambul , which crawls from one computer to another by brute-forcing Windows Server Message Block (SMB) file-sharing services using a list of common passwords. Once there, Brambul downloads Jo
Greedy North Korean Hackers Targeting Cryptocurrencies and Point-of-Sale Terminals

Greedy North Korean Hackers Targeting Cryptocurrencies and Point-of-Sale Terminals

December 20, 2017Mohit Kumar
The North Korean hacking group has turned greedy. Security researchers have uncovered a new widespread malware campaign targeting cryptocurrency users, believed to be originated from Lazarus Group , a state-sponsored hacking group linked to the North Korean government. Active since 2009, Lazarus Group has been attributed to many high profile attacks, including Sony Pictures Hack , $81 million heists from the Bangladesh Bank , and the latest — WannaCry . The United States has officially blamed North Korea for global WannaCry ransomware attack that infected hundreds of thousands of computers across more than 150 countries earlier this year. In separate news, security experts have blamed Lazarus group for stealing bitcoins worth millions from the South Korean exchange Youbit , forcing it to shut down and file for bankruptcy after losing 17% of its assets. Researchers from security firm Proofpoint have published a new report, revealing a connection between Lazarus Group and a
US Warns of 'DeltaCharlie' – A North Korean DDoS Botnet Malware

US Warns of 'DeltaCharlie' – A North Korean DDoS Botnet Malware

June 14, 2017Swati Khandelwal
The United States government has released a rare alert about an ongoing, eight-year-long North Korean state-sponsored hacking operation. The joint report from the FBI and U.S. Department of Homeland Security (DHS) provided details on " DeltaCharlie ," a malware variant used by " Hidden Cobra " hacking group to infect hundreds of thousands of computers globally as part of its DDoS botnet network. According to the report, the Hidden Cobra group of hackers are believed to be backed by the North Korean government and are known to launch cyber attacks against global institutions, including media organizations, aerospace and financial sectors, and critical infrastructure. While the US government has labeled the North Korean hacking group Hidden Cobra, it is often known as Lazarus Group and Guardians of Peace – the one allegedly linked to the devastating WannaCry ransomware menace that shut down hospitals and businesses worldwide. DeltaCharlie – DDoS Botnet M
Google Researcher Finds Link Between WannaCry Attacks and North Korea

Google Researcher Finds Link Between WannaCry Attacks and North Korea

May 16, 2017Swati Khandelwal
So far, nobody had an idea that who was behind WannaCry ransomware attacks? But now there is a clue that lies in the code. Neel Mehta, a security researcher at Google, found evidence that suggests the WannaCry ransomware, that infected 300,000 machines in 150 countries over the weekend, is linked to a state-sponsored hacking group in North Korea, known for cyber attacks against South Korean organizations. What's Happening? What is WannaCry? This is the fifth day since the WannaCry ransomware attack surfaced, that leverages a critical Windows SMB exploit and still infecting machines across the world using newly released variants that don't have any "kill switch" ability. In case, if you have landed on WannaCry story for the first time, and don't know what's going on, you are advised to also read this simple, summarized, but detailed explanation: WannaCry: What Has Happened So Far & How to protect your PCs WannaCry: First Nation-State Powered Ran
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.