North Korean hacker Group Reportedly Using Telegram To Steal Cryptocurrency

North Korean linked hacker group dubbed Lazarus has reportedly been using instant messaging platform Telegram to steal cryptocurrency from victims. The report comes from security researchers at Kaspersky, who discovered the group’s new advanced attack methodology.

The campaign known as Operation AppleJeus was first discovered in April 2018 by Kaspersky researchers. After the original Operation AppleJeus campaign – born in 2018 and run through 2019 – this one has been termed as “Operation AppleJeus Sequel.”

Researchers note that the group has since improved its attack methodology from the original campaign started in 2018.

Lazarus is now being “more careful” in its attacks and has deployed various measures to avoid detection, said the researchers.

The group is additionally leveraging “improved tactics and procedures” to steal cryptocurrency. Part of the new methodology involves the execution of malware inside memory instead of using hard disk drives. On top of that, they are also using Telegram messenger, a popular app in the cryptocurrency community, as one of the critical ways to steal cryptocurrency.

The group is using fake cryptocurrency trading companies, a previously used technique – with websites and Telegram trading groups – as one of the baits to lure unsuspecting victims.

They have also reportedly found a way to utilize Telegram as their key attack vector.

In one instance, the group deployed malicious payload through Telegram messenger. Its good to note that Telegram itself wasn’t compromised; the user downloaded the malicious payload by themselves.

Once it infects the user, it then opens a backdoor that allows the hackers to obtain remote control to the device, enabling them to carry other attacks. The primary intent behind the attacks by Lazarus is mainly after stealing crypto.

The researchers say they have identified several victims in this operation. Victims involved were determined to be based in the UK, Poland, Russia, and China. Several victims uncovered during the research are linked to cryptocurrency business entities, according to the report.

Notorious North Korean Linked Hacker Group

A report released in 2018 indicated that the state-sponsored Lazarus group was the most profitable cryptocurrency-hacker syndicate in the world.

From January 2018 to September, the group managed to walk away with $571m in cryptocurrency. Their most notable winning was when they stole $534m in cryptocurrency from Japan’s cryptocurrency exchange Coincheck.

Update: 10/01/2020, 10:57 PM – Article updated to indicate that Telegram itself wasn’t compromised. However, the group shared links on Telegram messenger and users then downloaded the payload by themselves – which “is no different than downloading it from a website or receiving it in an email.”

Follow us on Telegram, Twitter, Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates.