HQ/EMEAFind out how we can help your business
The notorious North Korean-backed advanced persistent threat and cyberespionage group dubbed Lazarus has reemerged in a new campaign that targets cryptocurrency exchanges and financial institutions.
This cybercriminal entity, also known as APT-C-26, has a reputation for executing sophisticated cybercriminal operations on financially motivated activities. It is also known for its advanced persistence and cyber espionage tactics.
The Lazarus Group has once again utilised the IPMsg installer in its recent cyberattack.
According to investigations, the Lazarus Group has repurposed the popular IPMsg installer by changing it into a tool for spreading backdoors and stealing sensitive information.
The APT group’s campaign starts a weaponised version of the IPMsg installer. Additionally, the malicious installer for this campaign deploys two components.
The first component includes the threat actors using legitimate IPMsg installers to retain credibility. The other consists of a malicious DLL file that launches a multi-stage assault and eventually communicates with a C2 server.
This sophisticated tactic shows the DPRK group’s expertise in social engineering, as it effectively deceives victims into running the malicious program. Subsequently, the malicious DLL proceeds through many decryption and execution steps before revealing a backdoor that enables threat actors to download additional payloads and exfiltrate data.
Furthermore, this North Korean hacking group used clever evasion strategies to bypass discovery and avoid analysis. The DLL files contain stack-based checks to ensure they cannot operate independently in sandbox environments.
They also exploited legitimate-looking names like cryptocopedia[.]com to host their command-and-control infrastructure. All of the executables involved in this campaign, including the initial installation, are designed to appear legitimate, which boosts their legitimacy and allows them to bypass standard security measures.
The TTPs observed in this campaign are consistent with prior Lazarus operations. Cryptocopedia [.]com and similar URLs, together with geopolitical targeting patterns, strongly suggest involvement by this North Korean-linked threat outfit.
On the other hand, the researchers claimed that the parallels in domain usage and operational tactics show that this effort is linked to the Lazarus organisation.
Therefore, organisations must remain vigilant as one of the most well-known North Korean hacking groups constantly improves. The group’s ability to weaponise legitimate software emphasises the significance of strong security and proactive threat intelligence.
