Crypto Under Attack: BlueNoroff’s “Hidden Risk” Campaign Exposed
North Korean hackers have launched a new campaign called “Hidden Risk,” targeting cryptocurrency companies through malware disguised as ordinary documents. According to SentinelLabs, the attack is orchestrated by BlueNoroff, a subgroup of the notorious Lazarus Group.
The hackers’ objective is to extract financial gain from the rapidly expanding crypto industry, now valued at $2.6 trillion. Exploiting vulnerabilities and the lack of regulation in this sector, the hackers have shifted their focus. Recently, the FBI warned that North Korean cybercriminals have been increasingly targeting employees of companies involved in decentralized finance (DeFi) and exchange-traded funds (ETF), employing social engineering tactics.
This new attack furthers these efforts, with the perpetrators now concentrating on breaching crypto exchanges and financial platforms. Instead of cultivating long-term relationships with victims via social media, the hackers have turned to phishing emails. These messages, appearing as Bitcoin price updates or DeFi news, coax users into downloading fake PDF documents.
The attack begins when the victim launches a fake application that mimics a PDF file but actually contains malicious code. This application was initially signed using a legitimate Apple developer account, allowing it to bypass macOS security; however, Apple later revoked this certificate. Once installed, the malware downloads a decoy PDF to the computer to distract the user, subsequently initiating the download of additional malicious code.
The core of the malware, known as “growth,” is designed to gather information about the infected device and transmit it to the attackers’ server. It then receives commands, granting hackers full access to the system. Persistence on the device is achieved through a hidden macOS configuration, ensuring the malware launches each time the system starts.
The hackers employ various domains resembling legitimate cryptocurrency and investment sites, deceiving users with credible appearances. These domains are used to distribute phishing emails and disguise the malware as legitimate documents. In the “Hidden Risk” campaign, domains such as kalpadvisory[.]com and delphidigital[.]org, previously associated with the crypto industry, were also employed.
SentinelLabs’ research reveals that the hackers create complex networks of domains and servers to conceal their activities. Cybercriminals even use automated services for email distribution and security filter evasion to prevent their messages from being flagged as spam.
Experts strongly advise strengthening computer security measures, especially for macOS users, as even applications with legitimate signatures can carry malicious code.
