A new report published by tech giant Microsoft took a closer look at the malicious activities perpetrated by Lazarus Group. Recall that the Lazarus Group was the notorious hacker group based out of North Korea.
DEV-0139 targeting crypto traders
According to the report, Microsoft identified a threat actor that was targeting cryptocurrency traders. The threat actor, dubbed DEV-0139, reportedly gained the target’s trust before deploying its malware attack. The method starts by identifying potential targets through Telegram groups.
Once a sufficient level of trust is established DEV-0139 sends an infected Excel file with the name “OKX Binance & Houbi VIP fee comparison.xls”. This happens to be a genuine looking document that contains fee structures. However, the file is embedded with a malicious program that grants a backdoor to the perpetrator.
Report by Volexity
Microsoft’s claims were also backed by American cybersecurity firm Volexity, which identified DEV-0139 as the latest strain of the AppleJeus malware. This malware was traced back to the Lazarus Group.
“Technical analysis of the deployed AppleJeus malware uncovered a new variation of DLL side-loading that Volexity has not seen previously documented as in the wild.” the firm stated.
According to Volexity, the increased scrutiny and notoriety of Lazarus prompted it to resort to this modified malware. The malware happens to be relatively low-profile but requires more effort to succeed.
Recommendations to defend against DEV-0139
Microsoft recommended its users to change the Excel macro security settings to control which macros run and under what circumstances. Additionally, the company also asked users to turn on the Microsoft attack surface reduction rules.
Volexity also issued a list of recommendations for users to mitigate the risks posed by these malwares. In addition to blocking Macro execution in Microsoft Office, the firm asked users to use the YARA rules. These rules would help detect malicious activities and block certain IOCs.
The Lazarus Group
The Lazarus Group has been involved in several hacks and exploits this year. The exploits, have thus, resulted in the loss of hundreds of millions of dollars. The most high profile hack was the one carried out on Axie Infinity’s Ronin Bridge back in March. This resulted in the loss of $600 million.
Other known attacks include the $100 million hack on the Harmony Protocol in June. This group was also blamed by Japan’s National Police Agency for a string of phishing attacks aimed at stealing crypto assets from the country’s crypto firms.