The group of cybercriminals Lazarus, funded by North Korea, has adopted new tactics to illegally acquire cryptocurrencies. This was reported by Kaspersky Lab this March 26.
Apparently, the organization has been using custom PowerShell scripts that interact with malicious C2 servers and execute commands from the operator, allowing them to attack both Windows and MacOS systems.
Kaspersky Lab had discovered this strategy in November last year, “which uses PowerShell to control Windows systems and macOS malware for Apple users.” However, in recent days they seem to have evolved to avoid detections.
And, according to the report, the names of the C2 server scripts are misrepresented as WordPress files and other open source projects. Once the malware control session with the server is created, the malware is ready to download and upload files, update malware settings and collect basic host information, among others.
The cybersecurity group notes that hackers continue to have as their main objective the systems involved in the cryptocurrency and fintech industries, and advised players in those sectors to be careful. “If you are part of the burgeoning industry of cryptocurrencies or technology startups, be very careful when dealing with new third parties or when installing software on your systems and never […] enable content (macro scripting) in Microsoft Office documents received. from new or unreliable sources … “, says the report.
The Lazarus group gained notoriety after in 2017 it managed to amass up to 571 million dollars in cryptocurrencies to finance the North Korean regime. They have also been involved in several frauds with altcoin and money laundering. In addition, the government of Israel has reported attacks on its public institutions and defense systems, allegedly directed by the group of cybercriminals.