Lazarus Group hacks crypto wallets with hidden malware
Lazarus Group has been exposed by security experts. This is a covert malware campaign from North Korea. Its latest operation has involved hacking crypto wallets. The campaign, which began to evolve in late 2024, reports https://xrust.ru/, is the developer of a recently identified implant called “marstech1.” This sophisticated tool marks a significant evolution in the group’s tactical approach. Its essence lies in the implementation of unique functionalities. According to security analysis, the attackers have created a command and control server hosted on the infrastructure of Stark Industries LLC. Unlike their previous operations, which typically interacted through ports 1224 and 1245, this new server operates on port 3000 and employs different tactics, including a Node.js Express backend without the previously observed React admin web panel. Researchers discovered a GitHub profile associated with the Lazarus operator working under the username “SuccessFriend.” This account, active since July 2024, maintained the appearance of legitimate development before it began publishing repositories related to malware in November 2024. The malware utilizes complex obfuscation techniques, including control flow alignment, self-invoking functions, random variable and function names, as well as anti-debugging measures. This intricate architecture allows the malicious code to infiltrate legitimate websites, software packages, and even NPM packages targeting the cryptocurrency and web3 sectors. Of particular concern is the malware’s specific targeting of cryptocurrency wallets. The implant actively searches for Exodus and Atomic crypto wallets on Linux, MacOS, and Windows systems, attempting to scan and extract sensitive data from these applications.
https://xrust.ru/news/310797-lazarus-group-vzlamyvaet-kripto-koshelki-skrytym-vredonosnym-po.html
