Lazarus APT Uses Phishing Domains to Target NFT Investors

Diving into details of the attack

• It was found that the attackers set up nearly 500 decoy sites with malicious Mints.
• These sites impersonate well-known NFT marketplaces such as OpenSea, X2Y2, and Rarible to dupe victims. Besides, one of these sites pretends to be a project associated with the World Cup.
• During the early stage of the campaign, the APT monitored and recorded user data via a domain name ‘thedoodles[.]site.’

 Attack tactics

• Once an investor clicks on the link, they are taken to a fake site that has the same branding and even the same layout.
• The site asks for personal information and investment details from victims, which are later transferred to the attackers
• This enables the Lazarus group to achieve complete access to victims’ assets, including their approve records and sigData.

NFT-related hacks a major security concern

• Morphisec Labs observed a new wave of NFT-001 attacks a couple of months ago that delivered Remcos RAT in the first stage and Eternity Stealer in the second stage. The campaign was designed primarily to target users in crypto and NFT communities on Discord and other forums. 
• In another incident, the hackers dropped malicious NFTs pretending to be Phantom security updates to target Solana cryptocurrency owners. The ultimate purpose of the attackers was to steal funds from users.
• In July, crooks stole 314 NFTs and $375,000 worth of crypto assets in one of the biggest hacks ever by hacking the popular Premint NFT.

Conclusion