Displaying items by tag: cryptocurrency

In 2018 Kaspersky’s Global Research and Analysis Team (GReAT) published findings on AppleJeus – an operation aimed at stealing cryptocurrency carried out by prolific threat actor the Lazarus group.

The new findings show that the operation has continued with more careful steps from the infamous threat actor, improved tactics and procedures and the use of Telegram as one of its new attack vectors.

Victims in the UK, Poland, Russia and China, including several connected to cryptocurrency business entities, were affected during the operation.

The Lazarus group is one of the most active and prolific advanced persistent threat (APT) actors, which carried out a number of campaigns targeting cryptocurrency-related organizations. During its initial 2018 AppleJeus operation, the threat actor created a fake cryptocurrency company in order to deliver their manipulated application and exploit a high level of trust among potential victims.

This operation was marked by Lazarus building, its first macOS malware. The application was downloaded by users from third-party websites and the malicious payload was delivered via what was disguised as a regular application update. The payload enabled the attacker to gain full control of the users’ device and steal cryptocurrency.

Kaspersky researchers identified significant changes to the group’s attack tactics in the ‘sequel’ operation. The attack vector in the 2019 attack mimicked the one from the previous year, but with some improvements. This time, Lazarus has created fake cryptocurrency-related websites, which hosted links to fake organization Telegram channels and delivered malware via the messenger.

Just as in the initial AppleJeus operation, the attack consisted of two phases. Users would first download an application, and the associated downloader would fetch the next payload from a remote server, finally enabling the attacker to fully control the infected device with a permanent backdoor. However, this time the payload was delivered carefully in order to evade detection by behavior-based detection solutions.

In attacks against macOS-based targets an authentication mechanism was added to the macOS downloader and the development framework was changed, in addition, a file-less infection technique was adopted this time. When targeting Windows users, the attackers avoided the use of Fallchill malware (which was employed in the first AppleJeus operation) and created a malware that only ran on specific systems after checking them against a set of given values. These changes demonstrate that the threat actor has become more careful in their attacks, employing new methods to avoid being detected.

Lazarus has also made significant modifications in the macOS malware and expanded the number of versions. Unlike in the previous attack, during which Lazarus used open source QtBitcoinTrader to build a crafted macOS installer, during the AppleJeus Sequel the threat actor started to use their homemade code to build a malicious installer. These developments signify that the threat actor will continue to create modifications of the macOS malware and our most recent detection was an intermediate result of these changes.

“The sequel AppleJeus operation demonstrates that despite significant stagnation in the cryptocurrency markets, Lazarus continues to invest in cryptocurrency-related attacks, making them more sophisticated. Further changes and diversification of their malware demonstrates that there is no reason to believe that these attacks will not grow in numbers and become a more serious threat,” commented Seongsu Park, Kaspersky security researcher.

The Lazarus group, known for its sophisticated operations and links to North Korea, is noted not only for its cyber-espionage and cybersabotage attacks, but also for financially-motivated attacks. A number of researchers, including those at Kaspersky, have previously reported on this group targeting banks and other large financial enterprises.

To protect from this and similar attacks, Kaspersky recommends crypto businesses to introduce basic security awareness training for all employees so that they can better distinguish phishing attempts, conduct an application security assessment to help them showcase their reliability to potential investors and to monitor for emerging vulnerabilities in smart contract execution environments.

As for consumers who are already exploring or plan to explore cyrptocurrencies, Kaspersky recommends they only use reliable and proven cryptocurrency platforms, do not click on links that lure them to an online bank or web wallet and to use a reliable security solution for comprehensive protection form a wide range of threats such as Kaspersky Security Cloud.

Social networking behemoth Facebook has formally announced that it would like to launch its own cryptocurrency next year according to reports by the BBC.

The Central Bank of the United Arab Emirates released a new regulation on January 1, 2017, which appeared to outlaw virtual currencies, which people assumed would include Bitcoin. However, the organization has since clarified its regulation saying the regulations “do not apply to bitcoin or other crypto – currencies, currency exchanges, or underlying technology such as Blockchain.”

The Central Bank issued the regulatory framework for stored values and electronic systems on New Year’s Day – a move that took experts and analysts by surprise – which stated on page 42, D.7.3., that “all virtual currencies (and transactions thereof) are prohibited.”

This led some to believe that the Central Bank was moving to block use of Bitcoin and other crypto-currencies. However, to clarify the regulation, Mubarak Rashid Khamis Al Masouri, Governor of the Central Bank, said in a statement: “These regulations do not cover ‘virtual currency’, which is defined as any type of digital unit used as a medium of exchange, a unit of account, or a form of stored value.”

Al Mansouri continued: “In this context, these regulations do not apply to bitcoin or other crypto-currencies, currency exchanges, or underlying technology such as Blockchain.” The statement further detailed how the area of virtual currencies was “currently under review by the Central Bank and new regulations will be issued as appropriate.”

The regulation, in its original interpretation, had confused some lawyers, business owners, and financial technology (fintech) experts, who couldn’t understand why the Central Bank was opposing technology innovation after so many years of supporting it. The UAE, after all, has a strong record of innovation for the financial technology sector.

What’s also surprising about the regulation is that the Dubai government announced in October 2016 that it will become paperless by shifting all transactions to blockchain – an online encrypted database — by 2020. Shaikh Hamdan Bin Mohammad Bin Rashid Al Maktoum, Dubai Crown Prince, launched the Dubai Blockchain strategy in a bid to implement more efficiency in government departments.

However, some welcomed the regulation, such as Ola Doudin, the CEO and co-founder of BitOasis, the first digital currency exchange in the UAE. “We're very glad to hear the Governor’s statement on virtual currencies, bitcoin and blockchain in light of the recent PSP regulations, and we're optimistic about the direction the Central Bank is taking to support innovation in fintech,” said Doudin in a statement.

Others have expressed concern that until the regulations are amended, the Central Bank releasing a clarification does not hold the same legal value. Paul Allen, head of intellectual property and technology at DLA Piper, Middle East said, “At least for now, this means that those who were concerned by the apparent ban on virtual currencies like bitcoin (and the potential impact of this on fintech and blockchain initiatives) can breathe a collective sigh of relief.”