North Korean cyberattacks on Brazilian fintech firms exposed

Google Cloud’s threat intelligence department has discovered that North Korean government-backed cyber attackers are actively targeting Brazil’s cryptocurrency exchanges and fintech companies.

The June 13 Google threat intelligence report highlighted coordinated attempts to hijack, extort and defraud Brazilian individuals and organizations.

Source: Mandiant (part of Google Cloud)

While North Korean groups focus primarily on cryptocurrency firms, aerospace and defense and government entities, cyber criminals backed by the Chinese government prefer attacking only the government organizations and the energy sector in Brazil.

The plot behind cyberattacks in Brazil

The notorious North Korean cybercriminal group, Pukchong (also known as UNC4899), has targeted Brazilian citizens and organizations through the job market. They tricked unsuspecting job seekers into downloading malware onto their systems. According to the report:

“The project was a trojanized Python app for retrieving cryptocurrency prices that was modified to reach out to an attacker-controlled domain to retrieve a second stage payload if specific conditions were met.”

Similar malware attacks perpetrated by GoPix and URSA were also found actively targeting Brazilian crypto firms.

Government-backed phishing attacks targeting Brazil. Source: Google Cloud

Check out Cointelegraph’s guide to learn more about crypto malware and how to detect it .

Related: SEC fines NYSE parent company $10M for failing to report cyberattack

Attacks beyond borders

Recently, crypto wallet provider Trust Wallet asked Apple users to disable iMessage , citing “credible intel” of a zero-day exploit that could allow hackers to take control of users’ phones.

Source: Trust Wallet

A zero-day exploit is a cyberattack vector that takes advantage of an unknown or unaddressed security flaw in computer software, hardware or firmware.

Cybersecurity firm Kaspersky recently uncovered that North Korean hacking group Kimsuky reportedly utilized a “striking” new malware variant dubbed “Durian” to launch attacks on South Korean crypto firms.

Source: Kaspersky

“Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads, and exfiltration of files,” wrote Kaspersky.

Additionally, Kaspersky noted that LazyLoad was also used by Andariel, a sub-group within fellow North Korean hacking consortium Lazarus Group — suggesting a “tenuous” connection between Kimsuky and the more notorious hacking group.

Magazine: Lazarus Group’s favorite exploit revealed — Crypto hacks analysis