According to security firms, North Korea’s Lazarus group is using Telegram channels to distribute a virus-ridden Mycelium Wallet copy.
Somora is the name of the clone. But they claim it is riddled with trojan-like software that bears the hallmarks of malware previously used by Pyongyang against crypto traders in South Korea.
“A number of security vendors have already flagged Sonora files as malicious,” Bloomberg reported.
Researchers at UK-based BAE Systems have notified their customers about the Somora app, while Mandiant is also preparing a warning.
Somora, the researchers claim, is “modeled after” Mycelium, down to repurposing the latter’s tagline as “Be Among Smart 7%.”
Western governments claim that Lazarus masterminded the 2014 Sony Pictures hack and the crippling WannaCry ransomware attacks in 2017. Security firms have linked the app to the hacking group.
A New Campaign for ‘Fake North Korean Crypto Apps’?
They claim Somora is part of the same Lazarus-led campaign that allegedly launched a bogus HaasOnline cryptocurrency exchange clone called BloxHolder. The installer files for the apps, according to the providers, are infected with the AppleJeus trojan.
This trojan can collect information such as computer addresses, computer names, and operating system versions. These details can then be used by hackers to compromise secure networks.
Somora is not available in major app stores. However, the security providers explained that download links to the “crypto wallet” are being sent via Telegram to cryptocurrency holders and other individuals.
For several years, the United States and South Korea have claimed that North Korea has been actively stealing cryptocurrency from individuals and businesses.