Lazarus Group Hacks Crypto Users with Browser Extension

According to a recent report by cybersecurity firm Group-IB, the Lazarus Group, a North Korean hacker organization, escalated its cyber attacks on the cryptocurrency market in September 2024 by introducing new malware strains that target browser extensions and video conferencing applications.

The report delineates the group’s expansion of its focus to encompass these platforms, utilizing increasingly sophisticated malware variants.

Browser Extension Attacks by Lazarus Group

The Lazarus Group has expanded its attacks to include fake videoconferencing apps and the ‘Contagious Interview’ campaign, which deceived job seekers into downloading malware disguised as job-related duties.

This scheme has since expanded to encompass a fraudulent video conferencing application called “FCC Call,” which imitates legitimate software.

The BeaverTail malware is deployed by the application upon installation. This malware is intended to extract data from cryptocurrency wallets and credentials from browsers through browser extensions.

It then installs a Python-based Trojan, “InvisibleFerret,” which further compromises the victim’s system.

This most recent campaign underscores their growing emphasis on browser extensions for crypto wallets, particularly on MetaMask, Coinbase, BNB Chain Wallet, TON Wallet, and Exodus Web3.

According to analysts at Group-IB, the group is currently focusing on a diverse array of applications, such as MetaMask and Coinbase.

Using malicious JavaScript, they deceive victims into downloading software under the guise of reviews or analysis assignments.

As part of the group’s evolving arsenal, researchers from Group-IB have identified a new suite of Python scripts called “CivetQ.”

These scripts suggest a change in strategy to target blockchain professionals through job search platforms such as Upwork, Moonlight, and WWR.

The hackers typically transition the conversation to Telegram after initiating communication. They deceive victims into obtaining a phony videoconferencing application or a Node.js project, claiming it is necessary for a technical job interview.

The Recent Exploitation of Microsoft Windows Vulnerabilities and the Growing Threat to Cryptocurrency from Lazarus Group

Lazarus Group’s Growing Threat to Crypto And Recent Exploitation of Microsoft Windows Vulnerabilities

The group has enhanced its techniques to conceal the malicious code of detrimental software in more advanced and innovative ways, thereby making it more difficult to detect.

This escalation is consistent with the Federal Bureau of Investigation’s (FBI) recent warning that North Korean hackers are conducting highly specialized social engineering campaigns to target decentralized finance and cryptocurrency employees.

These campaigns are engineered to infiltrate even the most secure systems, presenting an ongoing threat to organizations with substantial crypto assets.

In a related development, Lazarus Group is purportedly responsible for exploiting a zero-day vulnerability in Microsoft Windows.

The Windows Ancillary Function Driver (AFD.sys) for WinSock contained a privilege escalation flaw, identified as CVE-2024-38193 (CVSS score: 7.8).

The security vulnerability that enabled hackers to access restricted areas of computer systems without being detected was discovered by two researchers, Luigino Camastra and Milánek.

In September 2024, Microsoft resolved the vulnerability as part of its monthly Patch Tuesday update.