The Lazarus hacking group has resurfaced with a concentrated attack targeting global banks in an attempt to steal bitcoin.
Lazarus, an advanced cyber threat group, is commonly believed to be responsible for a slew of major cyberattacks including the WannaCry ransomware outbreak, the 2014 Sony Pictures’ hack and the fed reserve heist off Bangladesh’s central bank. Now, the group has resurfaced again with a concentrated phishing campaign targeting global financial organizations and bitcoin adopters.
The campaign, dubbed ‘HaoBao’ and discovered by McAfee Labs, was first spotted in mid-January. Researchers uncovered a malicious document distributed as a Dropbox link purporting to be a job advert for a business development executive for a large bank in Hong Kong. Attackers pose as job recruiters sending the target a spear-phishing email complete with a fake job advert. When opened, the email nudges the user to enable a Visual Basic macros, bringing attackers to enable the process of implanting the malware.
“When victims open malicious documents attached to the emails, the malware scans for Bitcoin activity and then establishes an implant for long-term data-gathering,” researchers wrote.
HaoBao targets and never-before-seen implants signal to McAfee ATR an ambitious campaign by Lazarus to establish cryptocurrency cybercrime at a sophisticated level.
When installed on the computer through a second-stage payload, the malware searches for a specific bitcoin registry key. If discovered, the information is relayed to a command and control (C&C) server to initiate the process of stealing the cryptocurrency.
Beyond stealing the bitcoin, the malware also gathers and sends details of the computer’s name, logged-in username as wel as all the processes running on the system. This is then used to mount other attacks in the future.
“The techniques, tactics and procedures are very similar to the campaigns that targeted US Defense contractors, US Energy sector, financial organizations and crypto currency exchanges in 2017,” researchers added, drawing parallels to cybercrime campaigns last year.
Image credit: Pexels.