North Korean hackers tracked as the Lazarus Group have been observed while using LinkedIn lures in an ongoing spear-phishing campaign targeting the cryptocurrency vertical in the United States, the United Kingdom, Germany, Singapore, the Netherlands, Japan, and other countries.
This is not the first time the Lazarus hackers (also tracked as HIDDEN COBRA by the United States Intelligence Community and Zinc by Microsoft) have targeted cryptocurrency organizations.
United Nations (UN) Security Council experts say that the North Koreans were behind cryptocurrency heists that led to losses of $571 million between 2017 and 2018, with the U.S. Treasury later sanctioning three DPRK-sponsored and financially motivated hacking groups (Lazarus, Andarial, and Bluenoroff).
A U.S. Army report from last month estimates North Korea’s total number of hackers at over 6,000, with lots of them operating from other countries including Russia, China, and India.
Earlier this year, in March, two Chinese nationals were charged by the U.S. with the laundering over $100 million worth of cryptocurrency out of the roughly $250 million stolen by the Lazarus Group in 2018 as part of a single cryptocurrency exchange hack.
LinkedIn phishing targeting cryptocurrency firm system admin
Today, F-Secure Labs security researchers said that they attributed a phishing attack targeting an organization in the cryptocurrency vertical to the Lazarus Group.
This was possible due to signs of Lazarus activity discovered by F-Secure despite the threat actors’ obvious efforts to remove any hint of their attacks — including disabling anti-malware solutions and removing their malicious implants from compromised devices.
“On all but a single host, which was powered off halfway through the intrusion and therefore unreachable, Lazarus Group was able to securely delete traces of any of the malware they employed as well as significant quantities of forensic evidence,” the researchers found.
F-Secure was able to attribute the attack based on the malicious implants left behind on infected systems and collected by the researchers after the Lazarus operation (identical to tools used previously used by the group) and Tactics, Techniques &Procedures (TTPs) used in North Korean hackers’ earlier operations.
“Based on phishing artifacts recovered from Lazarus Group’s attack, F-Secure’s researchers were able to link the incident to a wider, ongoing campaign that’s been running since at least January 2018,” F-Secure said earlier today.
“[S]imilar artifacts have been used in campaigns in at least 14 countries: the United States, China, the United Kingdom, Canada, Germany, Russia, South Korea, Argentina, Singapore, Hong Kong, Netherlands, Estonia, Japan, and the Philippines.”
https://csirt.cy/wp-content/uploads/2020/08/Infection-chain-261x300.jpg 261w" alt="" width="572" height="658" class="wp-image-6869 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />
Infection chain
Ongoing phishing campaign
The hackers used a maliciously crafted Word document disguised as a General Data Protection Regulation (GDPR) protected file requiring the target to enable content to get access to the rest of the information.
However, after enabling content, the document executed malicious embedded macro code that connected to a bit.ly link (accessed dozens of times since early May 2019 from multiple countries) and deployed the final malware payloads after first collecting and exfiltrating system info to attackers’ command-and-control servers.
These malicious implants feature several capabilities allowing the Lazarus hackers to “download additional files, decompress data in memory, initiate C2 communication, execute arbitrary commands, and steal credentials from a number of sources.”
Lazarus Group was also observed by F-Secure while disabling Credential Guard on infected devices to capture credentials from memory using the open-source Mimikatz post-exploitation tool.
“Lazarus Group’s activities are a continued threat: the phishing campaign associated with this attack has been observed continuing into 2020, raising the need for awareness and ongoing vigilance amongst organizations operating in the targeted verticals,” the researchers conclude.
“It is F-Secure’s assessment that the group will continue to target organizations within the cryptocurrency vertical while it remains such a profitable pursuit, but may also expand to target supply chain elements of the vertical to increase returns and longevity of the campaign.”
https://csirt.cy/wp-content/uploads/2020/08/Lazarus-lure-document-300x286.jpg 300w, https://csirt.cy/wp-content/uploads/2020/08/Lazarus-lure-document-768x731.jpg 768w" alt="" width="607" height="578" class="wp-image-6867 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />
Lazarus lure document