North Korea

The North Korean hacker group Lazarus has implanted malware for stealing cryptocurrency in a new batch of JavaScript packages

ChainCatcher news, according to Decrypt, the Socket research team has discovered in a new attack that the North Korean hacker group Lazarus is associated with six new malicious npm packages that attempt to deploy backdoors to steal user credentials.Additionally, this malware can extract cryptocurrency data and steal sensitive information from Solana and Exodus crypto wallets. The attacks primarily target files from Google Chrome, Brave, and Firefox browsers, as well as keychain data on macOS, specifically tricking developers into inadvertently installing these malicious packages.The six discovered malicious packages include: is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. They lure developers into installation through "typosquatting" (exploiting misspelled names). The APT group has created and maintained GitHub repositories for five of these packages, disguising them as legitimate open-source projects, increasing the risk of developers using the malicious code. These packages have been downloaded over 330 times. Currently, the Socket team has requested the removal of these packages and reported the related GitHub repositories and user accounts.Lazarus is a notorious North Korean hacker group, linked to the recent $1.4 billion Bybit hack, the $41 million Stake hack, the $27 million CoinEx hack, and countless other attacks in the crypto industry.

Slow Fog Cosine: Confirmed that the attacker of the CEX theft incident is the North Korean hacker group Lazarus Group, which has revealed its attack methods

ChainCatcher news, Slow Mist founder Yu Xian posted on social media, "Through forensic analysis and correlation tracking, we confirm that the attackers of the CEX theft incident are the North Korean hacker group Lazarus Group. This is a nation-state APT attack targeting cryptocurrency trading platforms. We have decided to share the relevant IOCs (Indicators of Compromise), which include some IPs of cloud service providers, proxies, etc. It is important to note that this disclosure does not specify which platform or platforms were involved, nor does it mention Bybit; if there are similarities, it is indeed not impossible."The attackers utilized pyyaml for RCE (Remote Code Execution), enabling the delivery of malicious code to control target computers and servers. This method bypassed most antivirus software. After synchronizing intelligence with partners, multiple similar malicious samples were obtained. The main goal of the attackers is to gain control over wallets by infiltrating the infrastructure of cryptocurrency trading platforms, thereby illegally transferring a large amount of cryptocurrency assets from the wallets.Slow Mist published a summary article revealing the attack methods of the Lazarus Group, and also analyzed their use of social engineering, vulnerability exploitation, privilege escalation, internal network penetration, and fund transfer tactics. At the same time, based on actual cases, they summarized defense recommendations against APT attacks, hoping to provide references for the industry and help more institutions enhance their security capabilities and reduce the impact of potential threats.
ChainCatcher Building the Web3 world with innovators