North Korean state-sponsored cybercriminals have widened their scope of operations, launching a novel initiative named ‘Hidden Risk’, designed to infiltrate cryptocurrency firms using malware concealed as genuine documents.
In a report released on Thursday, cybersecurity research firm SentinelLabs linked this recent campaign to the infamous BlueNoroff threat actor, a subgroup of the notorious Lazarus Group. The Lazarus Group has a notorious history of draining millions of dollars to back North Korea’s nuclear and armament initiatives.
The sequence of attacks is a strategic move to drain resources from the rapidly expanding $2.6 trillion cryptocurrency industry, capitalizing on its decentralized and often under-regulated landscape.
The Federal Bureau of Investigation (FBI) has recently sounded alarms over the increasing interest of North Korean cyber actors in employees of DeFi and ETF companies, using customized social engineering campaigns to target them.
The hackers’ current campaign seems to be an extension of these maneuvers, with a primary focus on compromising cryptocurrency exchanges and financial platforms.
A departure from their traditional modus operandi of developing victims through social media engagement, the hackers are now deploying phishing emails that masquerade as cryptocurrency news alerts, a trend that SentinelLabs reported to have begun in July.
Social media grooming typically involves a protracted strategy where cybercriminals build trust with targets over time by engaging with them on platforms like LinkedIn or Twitter.
The phishing emails are disguised as updates on Bitcoin (BTC) prices or the latest trends in decentralized finance (DeFi), enticing victims into clicking on links that appear to lead to legitimate PDF documents.
However, rather than opening an innocuous file, unwitting users end up downloading a malicious application onto their Mac systems.
What makes this new malware more alarming, according to the report, is its ability to cleverly circumvent Apple’s built-in security features. The hackers manage to get their software signed with authentic Apple Developer IDs, which allows it to slip past macOS’s Gatekeeper system.
Once installed, the malware employs hidden system files to remain undetectable, even after a system reboot, and it establishes communication with remote servers under the hackers’ control.
In light of these findings, the SentinelLabs report urges macOS users, particularly those within organizations, to bolster their security protocols and increase their vigilance to potential threats.
Edited by Sebastian Sinclair.