Lazarus Group Increases Attacks on Crypto Browser Extensions
The North Korean cybercrime group known as the Lazarus Group is continuing to ramp up operations to infiltrate cryptocurrency markets. These days, it is using more sophisticated malware targeting crypto browser extensions. A report recently presented by cybersecurity company Group-IB gave light to some new tactics and tools used by this hacking group. It brought into light the increasing danger for crypto professionals.
Lazarus Scales Up Activities with New Malware
New variants of malware are on the loose, including the BeaverTail malware, which infects browser extensions responsible for cryptocurrency wallets. In its latest campaign, dubbed “Contagious Interview,” the group tries to lure job seekers into installing malware masquerading as job-related tasks.
One of the latest plays includes leveraging a fake video conferencing application called “FCCCall,” which appears similar to any other legitimate program. Once installed, it infects the victim’s system with BeaverTail, followed by unleashing the Python-based backdoor known as “InvisibleFerret.” This malware cocktail allows Lazarus to extract valuable credentials from browsers and crypto wallets including MetaMask, Coinbase, and Exodus Web3.
New Toolkit Targets Gaming and Development Sectors
Crypto-browser extensions are not the main points of the evolving strategy of Lazarus Group but also expansion to gaming-related repositories. This is how, after compromising development environments, hackers could spread their malware more widely. Group-IB’s research revealed a new set of Python scripts, dubbed “CivetQ,” that Lazarus has been using to trojanize Node.js-based projects.
What hasn’t changed is the key functionality of BeaverTail-it exfiltrates credentials from browsers and data from cryptocurrency wallets, browser extension,” Group-IB said, underlining the undying threat to browser-based crypto wallets.
Lazarus Abusing Telegram for Data Exfiltration
Another important peculiarity of the new Lazarus strategies is the reliance on Telegram as a data exfiltration channel. In general, this starts with an initial contact with targets using emails; then, the hackers normally try to switch the conversation onto Telegram. Also, they ask potential victims to install fake video conferencing apps or other compromised software in order to extend their capabilities for system infection and exfiltration of data.
Increased Focus on Crypto Wallet Extensions
The Lazarus Group campaign marks a growing interest in crypto wallet-managing browser extensions like MetaMask, BNB Chain Wallet, and TON Wallet. By targeting such platforms, Lazarus aspires to achieve compromise from a broad area of applications to reach the prized crypto assets. Their methods for hiding malicious code are getting advanced, complicating further the detection process of security measures.
FBI Warns of Growing Threat
But this escalation of tactics by Lazarus Group comes against the backdrop of recent warnings from the FBI that North Korean cyber actors have turned increasingly into an irritant for employees in the DeFi and cryptocurrency sectors. These are targeted social-engineering campaigns designed to break into secure systems—something that continues to pose risks to organizations with significant cryptocurrency holdings.
Learning from Cyber Security researchers, the attacks have been growing in intensity, with the recent one from Lazarus against crypto browser extensions and, in general, more areas of the crypto ecosystem than ever before. For that reason, since the attacks have really gotten too sophisticated, the take-home for now is that cybersecurity measures urgently need to improve in most aspects of cryptocurrency.