Lazarus Hacker Group Uses Telegram to Steal Cryptocurrencies


Lazarus hacker group linked to a number of attacks on cryptocurrency exchanges and banks is back with another strategy to deceive and steal from cryptocurrency users. According to a recent discovery, the hacker group has used Telegram as part of its game plan to launch an attack on targets.

They have previously been said to be backed by the North Korean government to steal cryptocurrencies as part of their effort to raise resources to fund the government’s regime. Their contribution helped the country to gain $2 billion from hacking banks and exchanges as reported by the United Nations.

Lazarus Hacker Group

Image Source:

Different from their previous approach, the Lazarus hacker group has been reported to have created fake companies intended to distribute malware-infested applications and steal from users. As part of their effort to compromise the system of macOS users, they have created macOS malware with an authentication mechanism. This is to aid in delivering the next stage payload and load it without touching the disk according to the report. It was clear that the Lazarus hacker group has carefully planned their attack to escape from being detected following their previous operation dubbed Operation AppleJeus.

Whiles accessing their new approach, it was discovered that one of their victims was attacked with windows AppleJeus malware after attackers used a fake website wfcwallet(.)com to infect him with a malicious file called WFCUpdater.exe. After using a multi-stage infection with different methods, they began infecting him with .Net malware disguised as WFC wallet updater. Whiles accessing their fake websites, the researchers found that the Lazarus hacker group has a Telegram group indicated on their site. They were discovered to have used the Telegram messenger to deliver manipulated installer to victims. Their approach is well planned and difficult to suspect.

After infecting targets with malware, they comfortably access and control the cryptocurrencies of the targets remotely. The report did not mention the number of affected victims so far, but it was stated that the Lazarus hacker group accessed the systems of targets in Europe and Asia. Some of the targeted countries are Poland, China, the UK, and Russia.

They also stated that a lot of businesses have been affected as well. After changing their macOS and Windows as stated, they also changed significantly the final windows payload from the Fallchill malware that has been used in their previous attacks. 

The state-sponsored hacker group still has a number of fake websites still running with similar Cyptian Web Template suggesting they run their websites on free themes. Further investigations revealed that their Telegram group was created on 17 December 2018 and though there are no more activities, the group is alive with some accounts deleted according to the research.

Lazarus Hacker Group

Image Source:

Lazarus hacker group operates largely for financial gains, unlike the others that focus on stealing important data of companies and Personally Identifiable Information from customers.
The Spokesperson for Telegram has been reported to have said to users not to panic.

According to him, the distribution of this malware has nothing to do with the breach of its system. The malware was said to have been distributed as part of files being downloaded into the targets’ system. The campaign on Telegram is just like contracting malware through downloading a file from a modified website or opening a malicious attachment in an email. It was reported that Telegram users can protect themselves by downloading files from trusted websites only and using an updated version of an existing antivirus. 

In 2018, researchers also discovered that the Lazarus hacker group had devised ways to hack cryptocurrency exchanges using a trojanized cryptocurrency trading application. Targeting an employee of a company, hackers convinced the employee to download the application from a malware-infested website. This caused their computer to be infected with a malware known as Fallchill. The Lazarus hacker group has successfully used this method and a more upgraded approach to steal a lot of money from cryptocurrency exchanges and individuals.

Many reports have linked cryptocurrency exchange data breach to the Bitcoin price. It has been said that the hacker group is bound to make more victims as they are expected to launch a more sophisticated approach and operate for a while. Bitcoin halving is around the corner and all eyes are on the Bitcoin price to make a comeback. This would cause hackers to make exchanges their primary targets to either steal digital assets or demand ransom in the assets. It is advised that individuals and companies become vigilant and careful in the kind of attachments and links they open.

Source: Securelist

Disclaimer: does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation to the reliance on or usage of any content, goods or services mentioned in this article.

Tags: #Deep_Web_directories #Hidden_Wiki_Links #Deep_Web_Links_and_Web_Sites #Dark_Web_Links #Best_Dark_web_Websites



Please enter your comment!
Please enter your name here