Lazarus Hacking Group back with new hacking campaign targeting banks and bitcoin users

The North Korean Lazarus Hacking Group, which was believed to be behind the WannaCry ransomware attack last year, has returned with a new campaign targeting financial institutions and bitcoin users.

The new campaign, as discovered by the McAfee Advanced Threat Research (ATR) analysts and dubbed as “HaoBao”, was termed by McAfee as an “aggressive Bitcoin-stealing phishing campaign” that uses “sophisticated malware with long-term impact.”

It resumes Lazarus’ phishing emails, posed as job recruiters, from before but now targets global banks and bitcoin users.

It works by sending malicious documents as attachments to unsuspecting targets, who open the malicious document and unknowingly allow the malware to scan for Bitcoin activity, after which it establishes an implant for long-term data gathering on being successful.

According to the firm, McAfee ATR first discovered of the malware on January 15th, when they spotted a malicious document passed off as a job recruitment for a Business Development Executive at a multi-national bank based in Hong Kong.

More information can be found in a blog by McAfee regarding the campaign.

While the form of attack seems nothing new, the two-stage attack malware has surprised researchers.

“This campaign deploys a one-time data gathering implant that relies upon downloading a second stage to gain persistence,” said McAfee analyst Ryan Sherstobitoff. “The implants contain a hardcoded word ‘haobao’ that is used as a switch when executing from the Visual Basic macro.”

According to Sherstobitoff, the dropped implants have “never been seen before in the wild” and were not used in the last campaign either.

He believes that, because of a lack of solid regulations in respect to cryptocurrencies and the fact that sanctions against North Korea are difficult to enforce with digital currencies than with hard currency, such attacks will only grow — which could spell bad news for bitcoin users.

Aside from the link to the WannaCry attack, Lazarus is also believed to be linked to the Sony hack in 2014 and the attack on South Korean cryptocurrency exchanges last year.
Category: / / /

Share this with Your friends: