Command 360 Advanced Threat Research Institute discovered a malicious automatic cryptocurrency trading Uniswap sniper bot disguised as a legitimate application. Upon installation, the bot triggers hidden malicious functions that steal user data. The institute warns users to be cautious when downloading and installing applications from unknown sources.
The notorious Lazarus group, also known as APT-C-26, continues to target companies and users worldwide. Their main objectives include financial institutions, cryptocurrency exchanges, state agencies, aerospace, and defense industries. The hackers aim to steal money and confidential information using complex methods such as phishing, malware, and viruses that target Windows, MacOS, and Linux operating systems.
In a recent campaign, Lazarus group tampered with the Uniswap Sniper Bot code and packaged it using Electron, allowing the launch of malicious software on various platforms. While the application appears normal during installation, it secretly runs malicious code in the background. This code loads additional modules that steal browser and cryptocurrency data.
One of the malicious files identified is the Uniswap-Sniper-Bot-With-Huisetup1.0.0.exe, a 70.68 MB file that evades antivirus checks through a sophisticated deception technique. The primary malicious code embedded in the installer activates during installation, gradually infecting the system with further malicious payloads.
The malicious code is designed to extract data from Chrome, Brave, and Opera browsers, sending it to the attackers’ server. It also loads additional scripts to facilitate data theft and system control. Three main malicious modules used in the attack include n2pay for system monitoring and file theft, n2bow for extracting browser data, and N2MLIP for keylogging and monitoring window activity.
All modules were downloaded from Lazarus servers, enabling the group to steal data and manipulate victims’ systems. Lazarus frequently employs similar techniques involving Python, Node.js, and infecting popular program installation files. Ports 1224 and 1244 were used in this attack, consistent with Lazarus’ typical strategies, confirming their involvement in this incident.
In September, Palo Alto Networks disclosed the activities of hacker groups linked to North Korean intelligence. These groups, often collectively referred to as Lazarus, are believed to operate on behalf of the North Korean government, engaging in cyber espionage, financial crimes, and destructive attacks on various industries globally.