North Korean hackers disguise as crypto exchange, researchers discovered

By Kuksung Nam, The Readable
Aug. 1, 2023 6:42PM GMT+9 Updated Aug. 2, 2023 8:05PM GMT+9

North Korean hackers are allegedly abusing users’ interest in cryptocurrency to spread malicious codes, according to cybersecurity researchers on Monday.

In a report, South Korean cybersecurity firm AhnLab stated that they discovered three malicious files disguised as benign Word documents on July 28. According to the researchers, the attackers posed as a cryptocurrency exchange and lured the targets into clicking on the compromised documents by giving the files names related to intriguing topics, such as common traits shared between cryptocurrency wallet hackings. AhnLab did not disclose the name of the cryptocurrency exchange.

The experts attributed the hacking attempt to one of the most prolific groups targeting the country, Kimsuky. “The hacking group is well known for applying specific strings of characters in the malicious code to confirm their targets when they are deploying an attack. One of the words they use is ‘Chnome,’ which is a typo of Chrome,” said the AhnLab Security Emergency response Center (ASEC) analysis team in an email statement to The Readable. “Based on this trait, we assume that this malicious code was written by Kimsuky.”

Kimsuky is widely believed to be working for the North Korean government.

The cybersecurity firm also spotted a malicious file disguised as a normal PDF document containing asset management information on July 17. They attributed this attack to the North Korean hacking group. The experts warned users about these attacks as it could lead to multiple malicious activities, such as downloading additional malware or extorting users’ personal information.

According to AhnLab, cybercriminals have been actively using cryptocurrency as a means to deploy malicious code to their targets. In May of last year, the researchers discovered a compressed file including a malicious document titled “recover lost cryptocurrency.” “It is easier for digital asset owners to be tricked into these attacking methods,” said the ASEC analysis team to The Readable. “It is important not to activate a URL or attached filed from an uncertain source and double check who the sender is when receiving an email.”

The cover image of this article was designed by Areum Hwang.

Notification on article updates: The South Korean cybersecurity firm AhnLab analyzes the hacking methods of Kimsuky. However, the company does not investigate which country is behind the group’s activities.

Kuksung Nam is a journalist for The Readable. She has extensively traversed the globe to cover the latest stories on the cyber threat landscape and has been producing in-depth stories on security and privacy by engaging with industry giants, foreign government officials and experts. Before joining The Readable, Kuksung reported on politics for one of South Korea’s top-five local newspapers, The Kyeongin Ilbo. Her journalistic skills and reportage earned her the coveted Journalists Association of Korea award in 2021 for her essay detailing exclusive stories about the misconduct of a former government official. She holds a Bachelor’s degree in French from Hankuk University of Foreign Studies, a testament to her linguistic capabilities.