Lazarus APT steals cryptocurrency and user data via a decoy MOBA game
Contents
Introduction
Lazarus APT and its BlueNoroff subgroup are a highly sophisticated and multifaceted Korean-speaking threat actor. We closely monitor their activities and quite often see them using their signature malware in their attacks — a full-feature backdoor called Manuscrypt. According to our research, Lazarus has been employing this malware since at least 2013 and we’ve documented its usage in 50+ unique campaigns targeting governments, diplomatic entities, financial institutions, military and defense contractors, cryptocurrency platforms, IT and telecommunication operators, gaming companies, media outlets, casinos, universities, and even security researchers — the list goes on.
On May 13, 2024, our consumer-grade product Kaspersky Total Security detected a new Manuscrypt infection on the personal computer of a person living in Russia. Since Lazarus rarely attacks individuals, this piqued our interest and we decided to take a closer look. We discovered that prior to the detection of Manuscrypt, our technologies also detected exploitation of the Google …
Lazarus APT and its BlueNoroff subgroup are a highly sophisticated and multifaceted Korean-speaking threat actor. We closely monitor their activities and quite often see them using their signature malware in their attacks — a full-feature backdoor called Manuscrypt. According to our research, Lazarus has been employing this malware since at least 2013 and we’ve documented its usage in 50+ unique campaigns targeting governments, diplomatic entities, financial institutions, military and defense contractors, cryptocurrency platforms, IT and telecommunication operators, gaming companies, media outlets, casinos, universities, and even security researchers — the list goes on.
On May 13, 2024, our consumer-grade product Kaspersky Total Security detected a new Manuscrypt infection on the personal computer of a person living in Russia. Since Lazarus rarely attacks individuals, this piqued our interest and we decided to take a closer look. We discovered that prior to the detection of Manuscrypt, our technologies also detected exploitation of the Google …
IoC
59A37D7D2BF4CFFE31407EDD286A811D9600B68FE757829E30DA4394AB65A4CC
8312E556C4EEC999204368D69BA91BF4
E5DA4AB6366C5690DFD1BB386C7FE0C78F6ED54F
7353AB9670133468081305BD442F7691CF2F2C1136F09D9508400546C417833A
B2DC7AEC2C6D2FFA28219AC288E4750C
http://ccwaterfall.com
http://detankzone.com
7F28AD5EE9966410B15CA85B7FACB70088A17C5F
8312E556C4EEC999204368D69BA91BF4
E5DA4AB6366C5690DFD1BB386C7FE0C78F6ED54F
7353AB9670133468081305BD442F7691CF2F2C1136F09D9508400546C417833A
B2DC7AEC2C6D2FFA28219AC288E4750C
http://ccwaterfall.com
http://detankzone.com
7F28AD5EE9966410B15CA85B7FACB70088A17C5F