Source: 360 Threat Intelligence Center
The APT-C-26 group, commonly known as Lazarus, has intensified its campaigns, focusing on cryptocurrency professionals worldwide. A recent investigation by the 360 Threat Intelligence Center revealed that Lazarus has weaponized a legitimate open-source project, Uniswap Sniper Bot, by embedding malicious payloads in its installation package.
The tampered executable, named uniswap-sniper-bot-with-guiSetup1.0.0.exe, is an Electron-packed file masquerading as an automated trading tool for decentralized exchanges (DEXs). Upon installation, it executes malicious functions in the background while appearing to install the legitimate tool. This dual-purpose functionality enables Lazarus to discreetly steal sensitive information.
Key details of the attack include:
- Payload delivery: The malware targets browser-based cryptocurrency wallets in browsers such as Chrome, Brave, and Opera, extracting wallet data and transmitting it to Lazarus-controlled servers.
- Advanced obfuscation: The embedded malicious scripts exhibit significant code obfuscation, underscoring Lazarus’ commitment to evading detection.
- C&C communication: The malware connects to command-and-control servers on standard Lazarus ports (1224 and 1244) for payload delivery and data exfiltration.
Lazarus’ adoption of Electron as a delivery mechanism showcases their growing sophistication in creating cross-platform malware. By targeting open-source projects like Uniswap Sniper Bot, they exploit community trust, thereby broadening their victim pool. The group has previously employed similar tactics with Python and Node.js repositories, demonstrating a versatile and evolving arsenal.
Related Posts:
- Hackers Weaponize Popular Software Framework for Stealthy Data Theft
- Temptation from Money: Lazarus APT extended to cryptocurrencies
- Electron Team Addresses “runAsNode” CVE Misconceptions
- North Korea’s Lazarus Group: A Persistent Threat to the Defense Sector
