Ohm Shah
Co-Founder at Wallet Guard
After reviewing the recent @Arthur_0x hack, we need to address the seriousness of the hackers involved. Please DO NOT take this lightly, it’s one of the most advanced security threats we’ve seen.

1/ Arthur 0x was a victim to (very likely) Lazarus Group. The similarities of this attack on Arthur are nearly identical to one of their attacks in 2021. If you don’t know of them, don’t worry you’ve probably heard of them before.

2/ They are state-sponsored North Korean hackers famous for attacking Sony, large banks, major DDoS attacks against South Korea, and WannaCry. Yes, the same WannaCry ransomware attack that crippled the NHS in 2017.

3/ How was he attacked and why is it so serious?

First, he was emailed a document that resembles a document from one of his portfolio companies. This is called a spear-phishing attack, which can be described as a targeted phishing attack aimed at an individual or a group.

4/ The contents of a spear-phishing attack tend to be extremely relevant and normal. The goal for the bad actor is to make the email look as normal and routine as possible.

5/ The hackers did a very good job making this email seem legitimate by making it look like it’s from Google Docs, but it is actually a Microsoft Word file. Normal Google Docs do not look like this.

6/ Here’s versions of what you see after downloading the malicious file.

By clicking Enable Content, a RAT/keylogger will be installed on your computer and they’ll have full access.

👉 Once you click Enable Content, it’s over.

7/ This got through anti-virus because Lazarus Group found a way to inject malicious code into BMP image files, which are placed into the Word Doc. It’s a very advanced technique (that they themselves discovered) and appear to be actively exploiting…

8/ Additionally, this attack’s sophistication could go as far as replacing the components in your MetaMask extension with malicious code.

Here’s how you can check for yourself:

Snatch that crypto: BlueNoroff threat actor drains cryptocurrency startups’ accounts

9/ So how can we prevent this?

Unfortunately, this probably won’t be the last time we hear of this attack happening. Let alone the Lazarus Group.

The best things you can do is:  
1. Use Docs instead of Word  
2. Otherwise, triple check the sender  
3. DO NOT CLICK Enable Content.
Wallet Guard logo
Published on
September 5, 2023

Related Articles

All articles