North Korean hackers steal cryptocurrency under the guise of bots

Safety

---

North Korean scammers Lazarus are distributing AppleJeus malware disguised as a cryptocurrency trading bot. This was reported in a blog by IT analysts from Volexity.

The new campaign is said to have started as early as the summer of 2022 and continued until at least October. The researchers were able to detect trading bot clone sites that spread viruses that steal cryptocurrencies.

It is known that at least a website [bloxholder[.]com]spreads a virus under the guise of a trading bot similar to the HaasOnline service. A 12.7 MB malicious website distributes a Windows MSI installer disguised as the trading bot BloxHolder. In reality, the program is an AppleJeus virus associated with the QTBitcoinTrader trading client.

In October 2022, North Korean scammers went one step further and started spreading viruses in the form of an Excel document. A 214 KB xls document called “OKX Binance & Huobi VIP fee comparision.xls” reportedly contains a macro that creates files on the victim’s computer. Once the files are installed, the virus creates a scheduled task and places additional files in the “%APPDATA%\Roaming\Bloxholder\” folder.

The scale of the stolen cryptocurrency remains unclear, but it is already known that the AppleJeus virus is being actively updated. For example, in the latest version of malware, API connections are now encrypted using a special algorithm, making them harder for antiviruses to track.

In early November, the media reported that North Korean hackers had launched a new attack scheme against crypto companies in Israel. As The Jerusalem Post wrote, hackers attacked an Israeli cryptocurrency company using “unexplored tools.” However, it remains unclear which company was referred to and whether the attack was related to the BloxHolder campaign.

---