#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

lazarus group | Breaking Cybersecurity News | The Hacker News

Category — lazarus group
DoJ Indicts 14 North Koreans for $88M IT Worker Fraud Scheme Over Six Years

DoJ Indicts 14 North Koreans for $88M IT Worker Fraud Scheme Over Six Years

Dec 13, 2024 Cybercrime / Cryptocurrency
The U.S. Department of Justice (DoJ) has indicted 14 nationals belonging to the Democratic People's Republic of Korea (DPRK or North Korea) for their alleged involvement in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organizations. "The conspirators, who worked for DPRK-controlled companies Yanbian Silverstar and Volasys Silverstar, located in the People's Republic of China (PRC) and the Russian Federation (Russia), respectively, conspired to use false, stolen, and borrowed identities of U.S. and other persons to conceal their North Korean identities and foreign locations and obtain employment as remote information technology (IT) workers," the DoJ said . The IT worker scheme generated at least $88 million for the North Korean regime over a span of six years, it's been alleged. In addition, the remote workers engaged in information the...
New RustyAttr Malware Targets macOS Through Extended Attribute Abuse

New RustyAttr Malware Targets macOS Through Extended Attribute Abuse

Nov 14, 2024 Cryptojacking / Threat Intelligence
Threat actors have been found leveraging a new technique that abuses extended attributes for macOS files to smuggle a new malware called RustyAttr . The Singaporean cybersecurity company has attributed the novel activity with moderate confidence to the infamous North Korea-linked Lazarus Group, citing infrastructure and tactical overlaps observed in connection with prior campaigns, including RustBucket .  Extended attributes refer to additional metadata associated with files and directories that can be extracted using a dedicated command called xattr . They are often used to store information that goes beyond the standard attributes, such as file size, timestamps, and permissions. The malicious applications discovered by Group-IB are built using Tauri , a cross-platform desktop application framework, and signed with a leaked certificate that has since been revoked by Apple. They include an extended attribute that's configured to fetch and run a shell script. The execution of...
Want to Grow Vulnerability Management into Exposure Management? Start Here!

Want to Grow Vulnerability Management into Exposure Management? Start Here!

Dec 05, 2024Attack Surface / Exposure Management
Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...
North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS

North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS

Nov 07, 2024 Cryptocurrency / Malware
A threat actor with ties to the Democratic People's Republic of Korea (DPRK) has been observed targeting cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices . Cybersecurity company SentinelOne, which dubbed the campaign Hidden Risk , attributed it with high confidence to BlueNoroff, which has been previously linked to malware families such as RustBucket , KANDYKORN , ObjCShellz , RustDoor (aka Thiefbucket ), and TodoSwift . The activity "uses emails propagating fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file," researchers Raffaele Sabato, Phil Stokes, and Tom Hegel said in a report shared with The Hacker News. "The campaign likely began as early as July 2024 and uses email and PDF lures with fake news headlines or stories about crypto-related topics." As revealed by the U.S. Federal Bureau of Investigation (FBI) in a September 2024 advisory, the...
cyber security

Innovate Securely: Top Strategies to Harmonize AppSec and R&D Teams

websiteBackslashApplication Security
Tackle common challenges to make security and innovation work seamlessly.
New PondRAT Malware Hidden in Python Packages Targets Software Developers

New PondRAT Malware Hidden in Python Packages Targets Software Developers

Sep 23, 2024 Software Security / Supply Chain
Threat actors with ties to North Korea have been observed using poisoned Python packages as a way to deliver a new malware called PondRAT as part of an ongoing campaign. PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT (aka SIMPLESEA), a known macOS backdoor that has been previously attributed to the Lazarus Group and deployed in attacks related to the 3CX supply chain compromise last year. Some of these attacks are part of a persistent cyber attack campaign dubbed Operation Dream Job , wherein prospective targets are lured with enticing job offers in an attempt to trick them into downloading malware. "The attackers behind this campaign uploaded several poisoned Python packages to PyPI, a popular repository of open-source Python packages," Unit 42 researcher Yoav Zemah said , linking the activity with moderate confidence to a threat actor called Gleaming Pisces. The adversary is also tracked by the wid...
North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware

North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware

Sep 18, 2024 Cyber Espionage / Malware
A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN. The activity cluster is being tracked by Google-owned Mandiant under the moniker UNC2970 , which it said overlaps with a threat group known as TEMP.Hermit , which is also broadly called Lazarus Group or Diamond Sleet (formerly Zinc). The threat actor has a history of targeting government, defense, telecommunications, and financial institutions worldwide since at least 2013 to collect strategic intelligence that furthers North Korean interests. It's affiliated with the Reconnaissance General Bureau (RGB). The threat intelligence firm said it has observed UNC2970 singling out various entities located in the U.S., the U.K., the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia. "UNC2970 targets victims under the guise o...
North Korean Hackers Targets Job Seekers with Fake FreeConference App

North Korean Hackers Targets Job Seekers with Fake FreeConference App

Sep 04, 2024 Cryptocurrency / Malware
North Korean threat actors have leveraged a fake Windows video conferencing application impersonating FreeConference.com to backdoor developer systems as part of an ongoing financially-driven campaign dubbed Contagious Interview. The new attack wave, spotted by Singaporean company Group-IB in mid-August 2024, is yet another indication that the activity is also leveraging native installers for Windows and Apple macOS to deliver malware. Contagious Interview, also tracked as DEV#POPPER, is a malicious campaign orchestrated by a North Korean threat actor tracked by CrowdStrike under the moniker Famous Chollima. The attack chains begin with a fictitious job interview, tricking job seekers into downloading and running a Node.js project that contains the BeaverTail downloader malware, which in turn delivers InvisibleFerret, a cross-platform Python backdoor that's equipped with remote control, keylogging, and browser stealing capabilities. Some iterations of BeaverTail, which also...
New macOS Malware TodoSwift Linked to North Korean Hacking Groups

New macOS Malware TodoSwift Linked to North Korean Hacking Groups

Aug 21, 2024 Malware / Cryptocurrency
Cybersecurity researchers have uncovered a new macOS malware strain dubbed TodoSwift that they say exhibits commonalities with known malicious software used by North Korean hacking groups. "This application shares several behaviors with malware we've seen that originated in North Korea (DPRK) — specifically the threat actor known as BlueNoroff — such as KANDYKORN and RustBucket ," Kandji security researcher Christopher Lopez said in an analysis. RustBucket, which first came to light in July 2023, refers to an AppleScript-based backdoor that's capable of fetching next-stage payloads from a command-and-control (C2) server. Late last year, Elastic Security Labs also uncovered another macOS malware tracked as KANDYKORN that was deployed in connection with a cyber attack targeting blockchain engineers of an unnamed cryptocurrency exchange platform. Delivered by means of a sophisticated multi-stage infection chain, KANDYKORN possesses capabilities to access and exfi...
South Korean ERP Vendor's Server Hacked to Spread Xctdoor Malware

South Korean ERP Vendor's Server Hacked to Spread Xctdoor Malware

Jul 03, 2024 Malware / Threat Intelligence
An unnamed South Korean enterprise resource planning (ERP) vendor's product update server has been found to be compromised to deliver a Go-based backdoor dubbed Xctdoor. The AhnLab Security Intelligence Center (ASEC), which identified the attack in May 2024, did not attribute it to a known threat actor or group, but noted that the tactics overlap with that of Andariel , a sub-cluster within the infamous Lazarus Group. The similarities stem from the North Korean adversary's prior use of the ERP solution to distribute malware like HotCroissant – which is identical to Rifdoor – in 2017 by inserting a malicious routine into a software update program. In the recent incident analyzed by ASEC, the same executable is said to have been tampered with to execute a DLL file from a specific path using the regsvr32.exe process as opposed to launching a downloader. The DLL file, Xctdoor, is capable of stealing system information, including keystrokes, screenshots, and clipboard conte...
Andariel Hackers Target South Korean Institutes with New Dora RAT Malware

Andariel Hackers Target South Korean Institutes with New Dora RAT Malware

Jun 03, 2024 Malware / Cyber Attack
The North Korea-linked threat actor known as Andariel has been observed using a new Golang-based backdoor called Dora RAT in its attacks targeting educational institutes, manufacturing firms, and construction businesses in South Korea. "Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for the attacks," the AhnLab Security Intelligence Center (ASEC) said in a report published last week. "The threat actor probably used these malware strains to control and steal data from the infected systems." The attacks are characterized by the use of a vulnerable Apache Tomcat server to distribute the malware, the South Korean cybersecurity firm added, noting the system in question ran the 2013 version of Apache Tomcat, making it susceptible to several vulnerabilities. Andariel, also known by the names Nickel Hyatt, Onyx Sleet, and Silent Chollima, is an advanced persistent threat (APT) group that operates on behalf of North Korea's strategic...
Microsoft Uncovers 'Moonstone Sleet' — New North Korean Hacker Group

Microsoft Uncovers 'Moonstone Sleet' — New North Korean Hacker Group

May 29, 2024 Cyber Espionage / Malware
A never-before-seen North Korean threat actor codenamed Moonstone Sleet has been attributed as behind cyber attacks targeting individuals and organizations in the software and information technology, education, and defense industrial base sectors with ransomware and bespoke malware previously associated with the infamous Lazarus Group. "Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a malicious game, and deliver a new custom ransomware," the Microsoft Threat Intelligence team said in a new analysis. It also characterized the threat actor as using a combination of tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to meet its strategic objectives. The adversary, hitherto tracked by Redmond under the emerging cluster moniker Storm-1789, is assessed to be a state-aligned group that originally exhibited strong t...
North Korean Hackers Deploy New Golang Malware 'Durian' Against Crypto Firms

North Korean Hackers Deploy New Golang Malware 'Durian' Against Crypto Firms

May 10, 2024 Malware / Cyber Espionage
The North Korean threat actor tracked as Kimsuky has been observed deploying a previously undocumented Golang-based malware dubbed  Durian  as part of highly-targeted cyber attacks aimed at two South Korean cryptocurrency firms. "Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads, and exfiltration of files," Kaspersky  said  in its APT trends report for Q1 2024. The attacks, which occurred in August and November 2023, entailed the use of legitimate software exclusive to South Korea as an infection pathway, although the precise mechanism used to manipulate the program is currently unclear. What's known is that the software establishes a connection to the attacker's server, leading to the retrieval of a malicious payload that kicks off the infection sequence. The first-stage serves as an installer for additional malware and a means to establish persistence on the host. It also paves the way f...
North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures

North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures

Apr 25, 2024 Malware / Cyber Threat
The North Korea-linked threat actor known as Lazarus Group employed its time-tested fabricated job lures to deliver a new remote access trojan called Kaolin RAT as part of attacks targeting specific individuals in the Asia region in summer 2023. The malware could, "aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from [command-and-control] server," Avast security researcher Luigino Camastra  said  in a report published last week. The RAT acts as a pathway to deliver the FudModule rootkit, which has been recently observed leveraging a now-patched  admin-to-kernel exploit  in the appid.sys driver (CVE-2024-21338, CVSS score: 7.8) to obtain a kernel read/write primitive and ultimately disable security mechanisms. The Lazarus Group's use of job offer lures to infiltrate targets is not new. Dubbed Operation Dream Job, the  long-running campaign ...
Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks

Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks

Feb 29, 2024 Rootkit / Threat Intelligence
The notorious Lazarus Group actors exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts. The vulnerability in question is  CVE-2024-21338  (CVSS score: 7.8), which can permit an attacker to gain SYSTEM privileges. It was resolved by Microsoft earlier this month as part of  Patch Tuesday updates . "To exploit this vulnerability, an attacker would first have to log on to the system," Microsoft  said . "An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system." While there were no indications of active exploitation of CVE-2024-21338 at the time of the release of the updates, Redmond on Wednesday revised its "Exploitability assessment" for the flaw to "Exploitation Detected."  It's currently not clear when the attacks took place, but the vulnerability...
Lazarus Exploits Typos to Sneak PyPI Malware into Dev Systems

Lazarus Exploits Typos to Sneak PyPI Malware into Dev Systems

Feb 29, 2024 Malware / Endpoint Security
The notorious North Korean state-backed hacking group Lazarus uploaded four packages to the Python Package Index (PyPI) repository with the goal of infecting developer systems with malware. The packages, now taken down, are  pycryptoenv ,  pycryptoconf ,  quasarlib , and  swapmempool . They have been collectively downloaded 3,269 times, with pycryptoconf accounting for the most downloads at 1,351. "The package names pycryptoenv and pycryptoconf are similar to pycrypto, which is a Python package used for encryption algorithms in Python," JPCERT/CC researcher Shusei Tomonaga  said . "Therefore, the attacker probably prepared the malware-containing malicious packages to target users' typos in installing Python packages." The disclosure comes days after Phylum  uncovered  several rogue packages on the npm registry that have been used to single out software developers as part of a campaign codenamed Contagious Interview. An interesting commonality bet...
New Report Reveals North Korean Hackers Targeting Defense Firms Worldwide

New Report Reveals North Korean Hackers Targeting Defense Firms Worldwide

Feb 20, 2024 Hacking / Cyber Espionage
North Korean state-sponsored threat actors have been attributed to a cyber espionage campaign targeting the defense sector across the world. In a joint advisory published by Germany's Federal Office for the Protection of the Constitution (BfV) and South Korea's National Intelligence Service (NIS), the agencies said the goal of the attacks is to plunder advanced defense technologies in a "cost-effective" manner. "The regime is using the military technologies to modernize and improve the performance of conventional weapons and to develop new strategic weapon systems including ballistic missiles, reconnaissance satellites and submarines," they  noted .  The infamous Lazarus Group has been blamed for one of the two hacking incidents, which involved the use of social engineering to infiltrate the defense sector as part of a long-standing operation called  Dream Job . The campaign has been  ongoing since August 2020  over several waves. In these attacks, the ...
Expert Insights / Articles Videos
Cybersecurity Resources