The infamous criminal collective known as the Lazarus Group have been spotted behind a worldwide phishing scam. They are among the most experienced hacker groups that are infamous for coordinating mass attacks against high-end targets. The current campaign is focused against international banks and Bitcoin end users.
The Lazarus Group Strikes Again
Not much is known about the identity of the Lazarus Group hackers. It is believed that they operate from North Korea and are widely known for planning elaborate campaigns against high-profile targets. Their first attacks were against South Korean institutions using distributed denial-of-service attacks back in 2009 and 2012. The group is known for using large networks of botnet nodes that are controlled by the group. In most cases they are made of hacked computers that are infected with malware code that recruits them to the network. The combined collective network power can be devastating to sites and computer networks when the attacks are launched at once.
The last noteworthy attack was carried in October 2017 when the Lazarus Group conducted a phishing campaign against users that worked in cryptocurrency establishments. Numerous exchanges and wallet holders were made victims during the attack. The victims received email messages that make use of social engineering tricks and infected documents. The users are instructed to run the attached or linked rich text documents that pose as files of user interest. As soon as they are opened a notification screen asks the users to enable the built-in macros. As soon as this is done a virus infection is downloaded from a hacker server and instituted on the victim computer. As a result a very dangerous Trojan infection followed. It is believed that the hackers were behind some of the largest cryptocurrency exchanges: CoinDash, Bithumb, Veritaseum.
The Ongoing Lazarus Group Attack Campaign
The ongoing attack campaign employed by the Lazarus Group is dubbed HaoBao by the security experts that reported it. Like previous campaigns it depends on phishing emails that deliver the malware component. The scam tactic depends on a design that recreates the message as being sent by a Hong Kong based job recruitment company. The actual contents of the emails shows that the senders are looking for Business development executives for hire citing a multi-national bank as their client. The messages contain a link to a Dropbox document that has been identified as malicious. It is a Microsoft Word rich text document which when opened asks the victims to enable the built-in scripts. When this is done the script launches a virus module. The behavior pattern executes the following set of instructions:
- The malware downloads a small infection engine that starts to scan the system for any cryptocurrency wallets. They can be of different types and supporting different digital currencies. This usually includes the most popular one such as Monero, Ethereum, Bitcoin, NEO, Ripple and etc.
- The next step is to deliver an information gathering component on the compromised machines. It will constantly monitor the infected machine for any major system changes and software installations that are related to cryptocurrency mining.
- A network connection is established with the hacker-controlled command and control (C&C) server. This measure is related to the fact that the hackers can remotely scan the systems for changes and variables. Some of the gathered data includes the computer name, currently logged in user and the list of all running applications and system processes. The analysis also shows that the hackers can remotely scan for the presence of certain registry keys.
The security analysts note that one of the new mechanisms devised by the Lazarus Group in their latest malware attack is the quick scan function. The infection commands can scan the systems for the presence of cryptocurrency wallets and support software in a more efficient way than other hacker tools.
We remind our readers that they can protect themselves from danger by utilizing a quality anti-spyware solution.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: