February 13, 2018 by

Lazarus Strikes Again With Bitcoin-Stealing Malware Against Banks

The Lazarus hacking group has resurfaced with a concentrated attack targeting global banks in an attempt to steal bitcoin.

Lazarus, an advanced cyber threat group, is commonly believed to be responsible for a slew of major cyberattacks including the WannaCry ransomware outbreak, the 2014 Sony Pictures’ hack and the fed reserve heist off Bangladesh’s central bank. Now, the group has resurfaced again with a concentrated phishing campaign targeting global financial organizations and bitcoin adopters.

The campaign, dubbed ‘HaoBao’ and discovered by McAfee Labs, was first spotted in mid-January. Researchers uncovered a malicious document distributed as a Dropbox link purporting to be a job advert for a business development executive for a large bank in Hong Kong. Attackers pose as job recruiters sending the target a spear-phishing email complete with a fake job advert. When opened, the email nudges the user to enable a Visual Basic macros, bringing attackers to enable the process of implanting the malware.

“When victims open malicious documents attached to the emails, the malware scans for Bitcoin activity and then establishes an implant for long-term data-gathering,” researchers wrote.

They added:

HaoBao targets and never-before-seen implants signal to McAfee ATR an ambitious campaign by Lazarus to establish cryptocurrency cybercrime at a sophisticated level.

When installed on the computer through a second-stage payload, the malware searches for a specific bitcoin registry key. If discovered, the information is relayed to a command and control (C&C) server to initiate the process of stealing the cryptocurrency.

Beyond stealing the bitcoin, the malware also gathers and sends details of the computer’s name, logged-in username as wel as all the processes running on the system. This is then used to mount other attacks in the future.

“The techniques, tactics and procedures are very similar to the campaigns that targeted US Defense contractors, US Energy sector, financial organizations and crypto currency exchanges in 2017,” researchers added, drawing parallels to cybercrime campaigns last year.

Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Fake SWIFT Service Emails Delivers Adwind Remote Access Trojan

An email phishing campaign has attempted to infect unsuspecting victims with the Adwind...

Read more arrow_forward

Tesla’s Cloud Account Hacked to Mine Cryptocurrency

Tesla’s cloud environment has been exploited by hackers who used the computational power to mine...

Read more arrow_forward

Snapchat Phishing Attack Swipes Credentials of Over 50,000 USers

Details have emerged on a phishing attack which saw hackers steal the credentials of over 50,000...

Read more arrow_forward