The Lazarus Group, a North Korean hacking organization notorious for targeting the crypto industry, is intensifying its efforts with more advanced malware campaigns. Recent research by cybersecurity firm Group-IB reveals the group has expanded its scope in 2024, introducing new malware variants and shifting focus to professionals in the cryptocurrency sector, including developers. A new method involving video conferencing applications is now part of their strategy, adding to the growing sophistication of their attacks.
Malware Disguised as Job-Related Tools
One of the group’s latest campaigns, referred to as the “Contagious Interview,” involves tricking job seekers into downloading malicious software under the guise of technical tasks. In this scheme, a fake video conferencing app called “FCCCall” is used to install the BeaverTail malware on targeted systems. Once active, BeaverTail retrieves credentials from browsers and extracts sensitive data from cryptocurrency wallet extensions. Additionally, the malware deploys a backdoor known as “InvisibleFerret,” a Python-based tool that further compromises systems.
Lazarus Group Targets Crypto Investors Through LinkedIn ImpersonationThis method of attack has evolved to include the distribution of Node.js projects as part of job-related activities. Lazarus members typically move the conversation to Telegram, where they convince their targets to download the fake applications.
Gaming and Wallet Extension Tactics
In addition to targeting job seekers, Lazarus has broadened its focus to include gaming repositories, utilizing trojanized Node.js-based projects to spread malware. Group-IB’s findings indicate that the group has incorporated Python scripts, labeled “CivetQ,” into their arsenal.
This new malware suite utilizes Telegram for exfiltration, enabling hackers to steal data more efficiently. The group’s expanding range of targets includes popular cryptocurrency wallet browser extensions, such as MetaMask, Coinbase, and Exodus Web3. This development highlights Lazarus’s growing interest in gaining access to crypto wallets via browser vulnerabilities.
