North Korean Lazarus Group is targeting crypto funds with a new spin on an old trick

Microsoft reports that a threat actor has been identified targeting cryptocurrency investment startups. A party Microsoft has dubbed DEV-0139 posed as a cryptocurrency investment company on Telegram and used an Excel file weaponized with “well-crafted” malware to infect systems that it then remotely accessed.

The threat is part of a trend in attacks showing a high level of sophistication. In this case, the threat actor, falsely identifying itself with fake profiles of OKX employees, joined Telegram groups “used to facilitate communication between VIP clients and cryptocurrency exchange platforms,” Microsoft wrote in a Dec. 6 blog post. Microsoft explained:

“We are […] seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads.”

In October, the target was invited to join a new group and then asked for feedback on an Excel document that compared OKX, Binance and Huobi VIP fee structures. The document provided accurate information and high awareness of the reality of crypto trading, but it also invisibly sideloaded a malicious .dll (Dynamic Link Library) file to create a backdoor into the user’s system. The target was then asked to open the .dll file themselves during the course of the discussion on fees.

DPRK’s infamous Lazarus Group has developed new and improved versions of its cryptocurrency-stealing malware AppleJeus, marking the regime’s latest attempt to garner funds for Kim Jong-un’s weapons programs. @nknewsorg @EthanJewell https://t.co/LjimOmPI5s

— CSIS Korea Chair (@CSISKoreaChair) December 6, 2022

The attack technique itself has long been known. Microsoft suggested the threat actor was the same as the one found using .dll files for similar purposes in June and that was probably behind other incidents as well. According to Microsoft, DEV-0139 is the same actor that cybersecurity firm Volexity linked to North Korea’s state-sponsored Lazarus Group, using a variant of malware known as AppleJeus and an MSI (Microsoft installer). The United States federal Cybersecurity and Infrastructure Security Agency documented AppleJeus in 2021, and Kaspersky Labs reported on it in 2020.

Related: North Korean Lazarus Group allegedly behind Ronin Bridge hack

The U.S. Treasury Department has officially connected Lazarus Group to North Korea’s nuclear weapons program.

‘Nobody is holding them back’ — North Korean cyber-attack threat rises   July 12, 2022
North Korean hackers stealing NFTs using nearly 500 phishing domains   Dec. 26, 2022
Binance and Huobi freeze $1.4M in crypto linked to North Korean hackers   Feb. 15, 2023
LastPass data breach led to $53K in Bitcoin stolen, lawsuit alleges   Jan. 5, 2023
Coinbase discloses recent cyberattack targeting employees   Feb. 22, 2023