Tue. Jul 7th, 2020

APT organization related to North Korea Lazarus began attacking virtual currency exchanges

2 min read

Kaspersky Security Lab’s latest security report said that Lazarus, an APT organization linked to North Korea, successfully penetrated a virtual currency exchange in Asia.

Lazarus is a very active APT organization in the past few years. In the early years, Sony Pictures was attacked and leaked a number of unreleased movies, which was done by Lazarus.

However, for the first time, Lazarus was found to infiltrate and attack the virtual currency exchange. The APT organization was successfully cleared from the internal network because it was found to be timely.

Hijacking legitimate software to attack virtual currency exchange switches:

Kaspersky Lab tracked that the original Trojan was downloaded by the exchange’s employees, but the employee actually downloaded the regular application from the legitimate website.

But after analyzing Kaspersky found that the application was infected with Trojans, it is incredible that there are legal digital certificates by this Trojan.

Therefore, the exchange staff did not find any abnormalities after downloading the program. After the installation and operation, the Trojan connected to the remote server to download more backdoor programs.

It then infects the switch used on the intranet of the exchange and then distributes the remote access Trojan to other devices so that it can be monitored at any time in the future.


It is not clear what the specific purpose of Lazarus is:

The Trojan was cleared from the intranet because it was found to be relatively timely. At that time, Lazarus only distributed remote access Trojans and did not carry out sabotage attacks.

So the exchange did not suffer economic losses, but the researchers were unable to obtain the specific reasons for Lazarus attacking the virtual currency exchange.

It is reasonable to say that attacking virtual currency exchanges is mostly about stealing stored virtual currency. This kind of stealing attack has occurred many times on other exchanges.

The mystery of legal digital certificates:

What surprised the researchers most was that Lazarus’s Trojan horse program carried a digital certificate and had a digital certificate so most security software directly released it.

At the same time, during the software installation process, the system can recognize the digital certificate normally and will not make too many prompts, which makes the victim have no way to detect the problem.

After tracking Kaspersky found that this digital certificate was applied through legal channels, but the registered company and software products are all fabricated and do not exist.

That is, Lazarus even created a fake company to apply for a certificate in order to carry out the attack. It seems that the malicious organization should have a major attack target.

Kaspersky did not disclose which exchange was attacked, but the foreign media speculation that the Korean exchange Kaspersky responded that it was not South Korea.

Via: bleepingcomputer