North Korea-linked hackers revive cryptocurrency scam to hijack macOS


Security researchers have reportedly uncovered another attack from a North Korea-linked hacking group. But on closer inspection it seems to be nothing more than a rehash of the group’s previous exploits.

According to research published yesterday, the hacking group, Lazarus, is now using fake cryptocurrency trading software, created by a similarly fake front company, Forbes reports.

It appears that hackers set up a front company called JMT Trading, and wrote an accompanying open-source cryptocurrency trading app. The code to which was hosted on GitHub. However, here’s where the originality ends.

In the code for the JMT Trading software is a piece of malicious code which, according to Mac security expert Patrick Wardle, gives hackers the “ability to remotely execute commands” on a victim’s device. It gives bad actors full control over the infected macOS system, giving attackers the ability to do anything they want, he added.

On closer inspection, JMT Trading is just a reapplication of Lazarus’ previous strategies in which it bundles nefarious code with legitimate looking apps.

Last year, Lazarus set up a fake trading platform and company called Celas, it was detected by security researchers at Kaspersky Labs. Research posted to Securelist, Kaspersky’s media outlet read:

While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email.

You could say that Lazarus has zero creativity, seeing as it’s just recycling its old hacks, but on the other hand, it could be because its scams are working.

Research last year found the North korea-linked hacking group was the most profitable hacking syndicate in the world.


Read More