Lazarus Group hacks crypto wallets with hidden malware.
Lazarus Group has been exposed by security researchers. This is a covert malware campaign from North Korea. Its latest operation has been the hacking of crypto wallets. The campaign, which began to develop in late 2024, is reported by https://xrust.ru/ and is the developer of a recently identified implant called “marstech1.” This sophisticated tool marks a significant evolution in the group’s tactical approach, focusing on the implementation of unique functionalities. According to security analyses, the attackers have created a command and control server hosted on the infrastructure of Stark Industries LLC. Unlike their previous operations, which typically interacted through ports 1224 and 1245, this new server operates on port 3000 and employs different tactics, including a Node.js Express backend without the previously observed React admin web panel. Researchers discovered a GitHub profile associated with the Lazarus operator using the username “SuccessFriend.” This account, active since July 2024, maintained the appearance of legitimate development before it began to publish repositories related to malware in November 2024. The malware employs sophisticated obfuscation techniques, including control flow alignment, self-invoking functions, random variable and function names, as well as anti-debugging measures. This complex architecture allows the malicious code to infiltrate legitimate websites, software packages, and even NPM packages targeting the cryptocurrency and web3 sectors. Particular concern is raised by the malware’s specific targeting of cryptocurrency wallets. The implant actively searches for Exodus and Atomic crypto wallets on Linux, MacOS, and Windows systems, attempting to scan and extract sensitive data from these applications.
https://xrust.ru/news/310797-lazarus-group-vzlamyvaet-kripto-koshelki-skrytym-vredonosnym-po.html
