Lazarus Group Strikes with Telegram Phishing Attacks

Notorious North Korea-backed hackers have recently shifted their focus to successful financial companies within the cryptocurrency industry.

A businessman phishing
The Lazarus Group also exploits Calendly's "Add Custom Link" feature to distribute malicious links for phishing attacks.

Prominent blockchain security team SlowMist reports an escalation of new phishing tactics adopted by the Lazarus Group.

"Since 2022, our team at SlowMist, utilizing the SlowMist BTI intelligence network, has discovered that the North Korean hacker group Lazarus initiated a widespread phishing operation on Telegram, specifically targeting the cryptocurrency industry," SlowMist states in its attack analysis, claiming that recently, the malicious actors have focused on well-established cryptocurrency project teams, deceiving them by "posing as reputable investment institutions."

Read also: KyberSwap’s Hacker Interviewed: "Might Makes Right"

Lazarus carefully selects its targets and creates fake accounts on the Telegram messaging platform, impersonating the identities of reputable investment institutions. By employing various strategies, the hackers manage to build trust with their victims and convince them to visit fake domains, where they are supposed to download malicious scripts under the guise of setting up meetings.

Calendly containing a malicious link
Source: SlowMist, Medium

In reality, the "location-modifying" scripts, which the hackers represent as tools necessary for arranging online meetings, ultimately give the criminals control over the victim's computer, facilitating fund theft.

Another common tactic involved in this phishing scam is the abuse of the popular meeting scheduling app Calendly. By using the "Add Custom Link" feature provided by Calendly, which aims to allow users to customize data within event pages, hackers can insert malicious links into event pages. This enables them to spread malware and initiate phishing attacks.

In its report, SlowMist mentions several examples of initial messages sent by the Lazarus Group to their potential victims.

In one of them, the attackers call themselves "one of the VCs investing in several fields of the blockchain industry," citing Web3, DeFi, GameFi, and digital assets as their "primary interests." In addition to their claims to "have a strong track record of identifying and supporting crypto and crypto-supporting projects," Lazarus also encourages cooperation by claiming that their team is "in the final process of closing the second stage of fundraising and going to start investment from early next month."

SlowMist also shared screenshots from an ongoing attack with the crypto community, where the hacker suggested a malicious link supposedly capable of resolving the "Access Restricted" issue. When the potential victim refused to download "a random script," the criminal admitted that it is understandable not to check the script if the person does not trust it, "but others also use this script and it works well."

Read also: December Starts Small with Minor Web3 Exploits

SlowMist suggests exercising extra vigilance while verifying new contacts and enabling two-factor authentication (2FA) on the Telegram messaging platform. In case of receiving any requests for downloads or cryptocurrency transactions, it is critical to verify their legitimacy.

"In the event of a malware infection, it is essential to immediately disconnect from the internet and conduct a virus scan," the team emphasizes the urgency of post-infestation actions, which also include promptly changing "passwords to all relevant accounts on the compromised computer, including those saved in web browsers." For users with digital wallets on the infected computer, SlowMist underscores the importance of transferring funds to a safe location without delay.