{"id":14068,"date":"2018-08-27T11:34:24","date_gmt":"2018-08-27T15:34:24","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/lazarus-crypto-exchange-attack\/14068\/"},"modified":"2020-04-02T16:07:38","modified_gmt":"2020-04-02T10:37:38","slug":"lazarus-crypto-exchange-attack","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/lazarus-crypto-exchange-attack\/14068\/","title":{"rendered":"A cryptocurrency exchange hack with a North Korean accent"},"content":{"rendered":"

The attack methods serious cybercriminals use are often so sophisticated that even cybersecurity pros have a real hard time uncovering them. A while ago, our experts detected<\/a> a new campaign by a North Korean group called Lazarus<\/a>, notorious for its attacks on Sony Pictures<\/a> and a number of financial institutions \u2014 for example, a $81 million theft from the Central Bank of the People\u2019s Republic of Bangladesh<\/a>.<\/p>\n

In this particular case, the intruders decided to line their pockets with some cryptocurrency<\/a>. To get to their victims\u2019 wallets, they dropped a piece of malware into the corporate networks of a number of crypto-exchanges. The criminals relied on the human factor, and it paid off.<\/p>\n

Trading application with a malicious update<\/h2>\n

Network penetration began with an e-mail message. At least one of the crypto-exchange employees got an e-mail offer to install a trading app called Celas Trade Pro by Celas Limited. A program like that might potentially be of use to the company, considering its corporate profile.<\/p>\n

The letter included a link to the developer\u2019s official website, which looked fine \u2014 it even had a valid SSL certificate<\/a> issued by Comodo CA, a leading certification center.\"\"<\/a><\/p>\n

Celas Trade Pro was available for download in two versions: for Windows and Mac, with version for Linux coming soon.\"\"<\/a><\/p>\n

The trading app also had a valid digital certificate<\/a> \u2014 yet another legitimate product attribute \u2014 and its code contained no harmful components.<\/p>\n

As soon as it was successfully installed on the employee\u2019s computer, Celas Trade Pro initiated an update. For that it contacted the vendor\u2019s own server \u2014 nothing suspicious there, either. Yet instead of an update, the device downloaded a backdoor Trojan<\/a>.\"\"<\/a><\/p>\n

Fallchill: Very dangerous malware<\/h3>\n

A backdoor is a virtual \u201cservice entrance\u201d criminals can use to penetrate a system. Most of the previous attacks on exchanges were accomplished using Fallchill. Along with some other signs, Fallchill was the key piece of evidence pointing at the attackers; the Lazarus group had used this backdoor more than once before. It allows almost unlimited control of the infected device. These are just a few of its features:<\/p>\n