Den berygtede kriminelle kollektivt kendt som Lazarus-gruppen er blevet spottet bag en verdensomspændende phishing-svindel. De er blandt de mest erfarne hacker grupper, der er berygtet for at koordinere masse angreb mod high-end mål. The current campaign is focused against international banks and Bitcoin end users.
The Lazarus Group Strikes Again
Not much is known about the identity of the Lazarus Group hackers. It is believed that they operate from North Korea and are widely known for planning elaborate campaigns against high-profile targets. Their first attacks were against South Korean institutions using distributed denial-of-service attacks back in 2009 og 2012. The group is known for using large networks of botnet nodes that are controlled by the group. In most cases they are made of hacked computers that are infected with malware code that recruits them to the network. The combined collective network power can be devastating to sites and computer networks when the attacks are launched at once.
The last noteworthy attack was carried in October 2017 when the Lazarus Group conducted a phishing campaign against users that worked in cryptocurrency establishments. Numerous exchanges and wallet holders were made victims during the attack. The victims received email messages that make use of social engineering tricks and infected documents. The users are instructed to run the attached or linked rich text documents that pose as files of user interest. As soon as they are opened a notification screen asks the users to enable the built-in macros. As soon as this is done a virus infection is downloaded from a hacker server and instituted on the victim computer. As a result a very dangerous Trojan infection followed. It is believed that the hackers were behind some of the largest cryptocurrency exchanges: CoinDash, Bithumb, Veritaseum.
The Ongoing Lazarus Group Attack Campaign
The ongoing attack campaign employed by the Lazarus Group is dubbed HaoBao by the security experts that reported it. Like previous campaigns it depends on phishing emails that deliver the malware component. The scam tactic depends on a design that recreates the message as being sent by a Hong Kong based job recruitment company. The actual contents of the emails shows that the senders are looking for Business development executives for hire citing a multi-national bank as their client. The messages contain a link to a Dropbox document that has been identified as malicious. It is a Microsoft Word rich text document which when opened asks the victims to enable the built-in scripts. When this is done the script launches a virus module. The behavior pattern executes the following set of instructions:
- The malware downloads a small infection engine that starts to scan the system for any cryptocurrency wallets. They can be of different types and supporting different digital currencies. This usually includes the most popular one such as Monero, Ethereum, Bitcoin, NEO, Ripple and etc.
- The next step is to deliver an informationsindsamling component on the compromised machines. It will constantly monitor the infected machine for any major system changes and software installations that are related to cryptocurrency mining.
- A network connection is established with the hacker-controlled command and control (C&C) server. This measure is related to the fact that the hackers can remotely scan the systems for changes and variables. Some of the gathered data includes the computer name, currently logged in user and the list of all running applications and system processes. The analysis also shows that the hackers can remotely scan for the presence of certain registry keys.
The security analysts note that one of the new mechanisms devised by the Lazarus Group in their latest malware attack is the quick scan function. The infection commands can scan the systems for the presence of cryptocurrency wallets and support software in a more efficient way than other hacker tools.
Vi minder vore læsere, at de kan beskytte sig mod faren ved at bruge en kvalitet anti-spyware løsning.
Spy Hunter scanner kun detektere trussel. Hvis du ønsker, at truslen skal fjernes automatisk, du nødt til at købe den fulde version af anti-malware værktøj.Læs mere om SpyHunter Anti-Malware værktøj / Sådan fjernes SpyHunter