Tag Archive for: Korean

New MacOS Malware Linked to North Korean Hackers


A new macOS malware probably used by North Korean hackers to target crypto exchanges has been found by security firm Jamf. The group behind the malware is thought to be the same group behind the recently reported KandyKorn malware. 

In its report on KandyKorn, Kaspersky describes the group as ‘Lazarus’, an overarching term for North Korean hackers. Jamf describes this group as BlueNoroff, a specific group within Lazarus that is “financially motivated, frequently targeting cryptocurrency exchanges, venture capital firms, and banks.”

The new malware is tracked by Jamf as ObjCShellz and is believed to be part of what has been called the RustBucket Campaign. The researchers suspect it is a late stage part of a multi-stage malware attack. “It’s a rather simplistic remote shell,” explains Jaron Bradley, director of Jamf Threat Labs, “but effective.” It allows the attacker to deliver macOS instructions from a C2 server and collect the responses. The malware can do almost everything the user can do on the Mac, but in the background.

Jamf was not able to explore the specific intentions of the attackers with this malware, because the C2 server (located at ‘swissborg[.]blog’) was taken offline as soon as the researchers probed for more information. This is not unusual — attackers often stand down an IP to prevent investigation, only to stand it up at some future date. 

However, a possible alternative reason for taking the server offline is that the malware has already succeeded in its task. “Once they have finished the attack,” commented Bradley, “they take the server offline to prevent researchers gaining any extra insight into what is actually going on.”

The address of the C2 server is hardcoded within the malware. The malware could be reused as part of a different spear-phishing attack simply by changing the C2 link to a different lookalike domain name.

A slightly unusual feature is evident in this malware: it logs the victim server’s responses to the malware commands – both successes and failures. “The choice to log these activities is intriguing, as attackers crafting sophisticated malware typically omit any statements that might leave…

Source…

Rigged Software and Zero-Days: North Korean APT Caught Hacking Security Researchers


Google’s threat hunting unit has again intercepted an active North Korean APT actor sliding into the DMs of security researchers and using zero-days and rigged software tools to take control of their computers.

Google’s Threat Analysis Group (TAG) on Thursday outed the government-backed hacking team’s social media accounts and warned that at least one actively exploited zero-day is being used and is currently unpatched.

Using platforms like X (the successor to Twitter) as their initial point of contact, the North Korean threat actor cunningly forged relationships with targeted researchers through prolonged interactions and discussions.

“In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package,” Google explained.

Google did not identify the vulnerable software package.

Google said the zero-day exploit was used to plant shellcode that conducts a series of anti-virtual machine checks and then sends the collected information, along with a screenshot, back to an attacker-controlled command and control domain. 

“The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits,” Google said, noting that the security defect has been reported to the affected vendor and is in the process of being patched. 

Advertisement. Scroll to continue reading.

Google said it is withholding technical details and analysis of the exploits until a patch is available. 

In addition to targeting researchers with zero-day exploits, Google’s malware hunters also caught the APT group distributing a standalone Windows tool that has the stated goal of ‘download debugging symbols from Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineers.’ 

The source code for the utility, was first published on GitHub a year ago,  has been updated multiple times with features to…

Source…

North Korean Hackers Use Zero-Day Exploit to Hit Security Researchers


Google says state-sponsored North Korean hackers are once again trying to target security researchers, this time with a new zero-day exploit that can spy on a victim’s computer. 

The suspected North Korean hackers are using Twitter and Mastodon social media accounts to build a “rapport with their targets,” Google warned in a blog post on Thursday. 

“In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest,” the company said. “After initial contact via [Twitter], they moved to an encrypted messaging app such as Signal, WhatsApp, or Wire.”

The North Korean hackers then sent a malware-laden file to the security researcher that exploited at least one unpatched vulnerability, also known as a zero-day exploit. The attack worked by first checking to see if the security researcher’s computer had installed any antivirus software. It then proceeded to collect information, including grabbing a screenshot, which was then sent to a hacker-controlled internet domain. 

Google didn’t supply details on the vulnerability, such as the software it attacked. But the company reported the flaw to the vendor, which is in the process of patching it. “Once patched, we will release additional technical details and analysis of the exploits,” Google added. 

The attack represents the latest campaign from the North Korean hackers, which have been targeting the IT security community with the same tactics since at least 2021 by pretending to be security researchers. In this new campaign, Google says the North Koreans also published a free debugging tool called “GetSymbol Project” on GitHub to trick security researchers into downloading it. In reality, the tool has “the ability to download and execute arbitrary code from an attacker-controlled domain,” meaning it can secretly infect a PC with malware.  

“If you have downloaded or run this tool, TAG [Google’s Threat Analysis Group] recommends taking precautions to ensure your system is in a known clean state, likely requiring a reinstall of the operating system,” Google warns.

To protect users, Google says its Chrome browser will start flagging…

Source…

FBI warns North Korean hackers looking to cash out stolen cryptocurrency worth millions


The FBI is warning cryptocurrency companies to be on the lookout for North Korean cyber thieves cashing out stolen bitcoin valued in the tens of millions of dollars. 

North Korean hackers use cybertheft to circumvent sanctions and fund their regime, with the White House estimating that half of North Korea’s missile program is funded via cryptocurrency heists and cyberattacks. 

The FBI published an alert this week saying North Korean hackers who were responsible for stealing nearly $200 million worth of cryptocurrency in June want to convert digital money into real funds. The bureau published identifiers of the bitcoin for companies to watch for in a warning Tuesday.



“Over the last 24 hours, the FBI tracked cryptocurrency stolen by the Democratic People’s Republic of Korea TraderTraitor-affiliated actors (also known as Lazarus Group and APT38),” the FBI said in the warning. “The FBI believes the DPRK may attempt to cash out the bitcoin worth more than $40…

Source…