Security firms say North Korea’s Lazarus group is distributing a virus-ridden Mycelium Wallet clone on Telegram channels – in a bid to compromise systems and steal crypto.
Per SBS and Bloomberg, the clone is named Somora. But, they say, it is riddled with trojan-like software that bears the hallmarks of “malware previously used to target crypto traders in South Korea and that the US government has attributed to Pyongyang.”
“Dozens of security vendors” have already “flagged” Somora files as “malicious,” Bloomberg noted.
Researchers at the UK’s BAE Systems have “sent private advisories about the Somora app to their customers.” America’s Mandiant is also readying a warning.
The researchers claim that Somora is “modeled after” Mycelium – and even repurposes the latter’s taglines, with Mycelium’s “Be Among Smart 8%” becoming “Be Among Smart 7%.”
Security firms have tied the app back to Lazarus, the hacking group that Western governments claim masterminded the 2014 hack of Sony Pictures and the crippling WannaCry ransomware attacks in 2017.
‘Fake North Korean Crypto Apps’ – A New Campaign?
They claim Somora is part of the same Lazarus-led campaign that has also seen the group allegedly launch a bogus HaasOnline crypto exchange clone named BloxHolder. The apps’ installer files, the providers claim, are infected with the AppleJeus trojan.
This trojan has the ability to collect details on computer addresses, computer names, and OS versions. Hackers can then use these details to compromise secure networks.
Somora is not listed in major app stores. But the security providers explained that download links to the “crypto wallet” are being sent to crypto holders and other individuals via Telegram.
The United States and South Korea have repeatedly claimed that North Korea has been actively stealing crypto from individuals and firms for several years.
Washington estimates that about a third of the funds spent on North Korea’s missile development program have been raised via crypto hacks.