Lazarus Group Targets Crypto Users with Browser Extension Attacks

Last updated:

Author

Jimmy Aki

Author

Jimmy Aki

About Author

Jimmy has nearly 10 years of experience as a journalist and writer in the blockchain industry. He has worked with well-known publications such as Bitcoin Magazine, CCN, Business2Community, and…

Last updated:

Why Trust Cryptonews

With over a decade of crypto coverage, Cryptonews delivers authoritative insights you can rely on. Our veteran team of journalists and analysts combines in-depth market knowledge with hands-on testing of blockchain technologies. We maintain strict editorial standards, ensuring factual accuracy and impartial reporting on both established cryptocurrencies and emerging projects. Our longstanding presence in the industry and commitment to quality journalism make Cryptonews a trusted source in the dynamic world of digital assets. Read more about Cryptonews

The North Korean hacker organization Lazarus Group has intensified its cyber attacks on the cryptocurrency market in September 2024 by introducing new malware strains targeting browser extensions and video conferencing applications, according to a recent report by cybersecurity firm Group-IB.

The report details how the group expanded its focus to include these platforms, using increasingly sophisticated malware variants.

Lazarus Group’s Browser Extension Attacks

In addition to the ‘Contagious Interview’ campaign, which tricked job seekers into downloading malware disguised as job-related tasks, the Lazarus Group has now broadened its attacks to include fake video conferencing apps.

This scheme has now evolved to include a fake video conferencing app called “FCCCall,” which mimics legitimate software.

Once installed, the app deploys the BeaverTail malware. This malware is designed to exfiltrate credentials from browsers and data from cryptocurrency wallets via browser extensions.

It then installs a Python-based backdoor, dubbed “InvisibleFerret,” further compromising the victim’s system.

This latest campaign highlights their increasing focus on crypto wallet browser extensions, specifically targeting MetaMask, Coinbase, BNB Chain Wallet, TON Wallet, and Exodus Web3.

Analysts at Group-IB note that the group is now targeting a broad range of applications, including MetaMask and Coinbase.

By using malicious JavaScript, they lure victims into downloading software under the pretense of reviews or analysis tasks.

Group-IB researchers identified a new suite of Python scripts, named “CivetQ,” as part of the group’s evolving toolkit.

These scripts indicate a shift in tactics to target blockchain professionals through job search platforms like WWR, Moonlight, and Upwork.

After making initial contact, the hackers usually switch the conversation to Telegram. They trick victims into downloading a fake video conferencing app or a Node.js project, claiming it’s for a technical job interview.

Lazarus Group’s Growing Threat to Crypto And Recent Exploitation of Microsoft Windows Vulnerabilities

The Lazarus Group continues to be a concern in the cryptocurrency sector, especially with its recent exploitation of Microsoft Windows vulnerabilities.

The group has improved its methods, making it harder to detect harmful software by hiding its malicious code in newer and more sophisticated ways.

This escalation mirrors broader trends observed by the Federal Bureau of Investigation (FBI), which recently warned that North Korean hackers are targeting employees in decentralized finance and cryptocurrency sectors with highly specialized social engineering campaigns.

These campaigns are designed to penetrate even the most secure systems, posing an ongoing threat to organizations with substantial crypto assets.

In a related development, Lazarus Group allegedly exploited a zero-day Microsoft Windows vulnerability.

The vulnerability, tracked as CVE-2024-38193 (CVSS score: 7.8), was identified as a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock.

Two researchers, Luigino Camastra and Milánek, discovered the security flaw that allowed hackers to access restricted parts of computer systems without being detected.

Microsoft addressed the flaw as part of its monthly Patch Tuesday update in September 2024.