Lazarus taking 'careful steps' to remain undetected during cryptocurrency stealing campaigns, researchers warn

Lazarus is using messaging app Telegram to deliver malicious files to potential targets

North Korea-linked threat group Lazarus has significantly updated its attack tactics in an effort to remain undetected during cryptocurrency stealing campaigns.

That's according to the researchers from cyber security firm Kaspersky, who claim to have found evidence that Lazarus is now using messaging app Telegram to deliver malicious files to potential targets in order to steal cryptocurrency.

Lazarus is taking more careful steps, the researchers claim, such as setting up fake crypto exchanges to lure in victims. Those fake exchanges are usually created using free web templates and have separate websites with links to social media platforms.

In one instance, attackers infected a Windows user with malicious files that were delivered through messaging app Telegram, and not through the fake crypto exchange itself. Telegram is so popular in the cryptocurrency community that it is launching its own cryptocurrency on its own TON blockchain.

The group was also found to have considerably tweaked some of their older malware to target both Windows and macOS systems. They have also developed macOS malware that comes with an authentication mechanism to deliver a secondary payload directly from memory.

After compromising a device, attackers can access it remotely to advance their attacks.

Security Researchers have named Lazarus' latest tactics and campaigns as "Operation AppleJeus Sequel." The original AppleJeus campaign, which was uncovered in 2018, was noticed to run throughout last year.

The researchers say they have identified several victims, mostly cryptocurrency businesses, based in the UK, Russia, Poland, and China.

Earlier this year, the US Department of Homeland Security and the FBI issued a warning over renewed hacking activity from Lazarus group.

They claimed that they had identified new malware, named HOPLIGHT, which they suspected was the work of Lazarus hacking group.

According to cyber security firm Group-IB, Lazarus stole more than $600 million worth of cryptocurrency in 2017 and 2018. Because its attacks are highly targeted and successful, researchers believe Lazarus would continue to advance its cryptocurrency stealing campaigns in coming years.

"This kind of attack on cryptocurrency businesses will continue and become more sophisticated," the researchers said in their report.