North Korean hackers create fake software to steal cryptocurrencies

Attackers from North Korea are spreading a virus disguised as a cryptocurrency trading bot, Volexity IT analysts have reported in their blog. It is the well-known hacker group Lazarus Group, which has repeatedly appeared in major cryptocurrency scandals around the world.

Researchers claim that the new hacking campaign began in the summer of 2022 and lasted at least until October. Volexity was able to identify clone sites of trading bots that spread viruses to steal digital assets

For example, it is known that the website [bloxholder[.]com] spreads the virus under the guise of a commercial bot similar to the HaasOnline service. The malicious resource is distributed by the Windows MSI installer under the guise of a trading robot called BloxHolder. In fact, the program is an AppleJeus virus associated with the QTBitcoinTrader trading client.

In October 2022, North Korean fraudsters began distributing viruses in the form of an Excel document. The 214 KB xls file named «OKX Binance & Huobi VIP fee comparison. xls» reportedly contains a macro that creates new files on the victim’s computer. Once they are installed on the PC, the virus independently creates a scheduled hacking task.

It is noteworthy that the scale of the stolen cryptocurrency is still unclear. However, Volexity researchers emphasize that the Lazarus Group’s AppleJeus virus is capable of updating. For example, in the latest version of the malware, API connections are encrypted using a special algorithm, which makes it difficult for antiviruses to track them on PCs.

In early November, we reported that North Korean hackers attacked a crypto company in Israel. And in October, Lazarus Group infiltrated Japanese crypto exchanges. The most famous hacker group is also suspected of helping the North Korean government develop weapons of mass destruction, with rumors that the lion’s share of funding for the nuclear program is made up of stolen cryptocurrency.