The team at 360 Advanced Threat Research Institute has uncovered a new campaign orchestrated by the Lazarus Group, in which malware is disguised as the installer for a popular cryptocurrency auto-trading tool, Uniswap Sniper Bot. While the program appears to be a legitimate application, during the installation process, it activates covert malicious functions designed to steal user data.
Lazarus (APT-C-26) continues its global offensive, targeting companies and individuals alike. Their primary objectives include financial institutions, cryptocurrency exchanges, government agencies, and the aerospace and defense sectors. The group’s overarching goals are the theft of funds and confidential information. Lazarus employs sophisticated techniques such as phishing, ransomware, and stealthy viruses capable of operating on Windows, macOS, and Linux platforms.
In this campaign, the attackers modified the code of Uniswap Sniper Bot and packaged it using Electron, enabling the malware to function seamlessly across multiple platforms. Upon installation, the application simulates a normal setup process while clandestinely executing malicious code in the background. This code downloads additional modules designed to steal data from web browsers and cryptocurrency wallets.
One such malicious file, named uniswap-sniper-bot-with-guiSetup1.0.0.exe, is 70.68 MB in size. Its advanced obfuscation techniques allow it to evade antivirus detection. The core malicious payload embedded within the installer activates during installation, with the harmful components gradually deployed through multiple stages of execution.
The malware extracts data from browsers such as Chrome, Brave, and Opera, transmitting the stolen information to the attackers’ servers. Additional scripts are also downloaded to execute commands issued by the threat actors.
The attack employed three primary malicious modules:
- n2pay: Used for system monitoring, file theft, and command execution.
- n2bow: Designed to extract data from web browsers.
- n2mlip: Functions as a keylogger, clipboard monitor, and window activity tracker.
All modules were downloaded from Lazarus-controlled servers, facilitating data theft and providing remote control over victims’ systems.
Lazarus frequently employs similar tactics, including poisoning Python and Node.js libraries and infecting installers for popular software. In this campaign, the attackers utilized ports 1224 and 1244 on their servers—an identifier characteristic of Lazarus operations. These indicators firmly attribute the attack to this infamous group.
In September, Palo Alto Networks detailed the activities of hacking groups linked to North Korean intelligence. Collectively referred to as Lazarus in public reports, these groups operate under the directives of the North Korean government, engaging in cyber-espionage, financial crimes, and disruptive attacks across various global industries.
