Lazarus Rises Again with Aggressive Bitcoin-Stealing Campaign

Written by

An aggressive Bitcoin-stealing phishing campaign mounted by the international cybercrime group Lazarus and using sophisticated, brand-new malware has been uncovered.

McAfee Advanced Threat Research (ATR) analysts discovered the campaign, dubbed HaoBao. It resumes Lazarus’ previous phishing email efforts, which used lures aimed at employee recruitment and targeted US defense contractors, the energy sector and financial institutions, including cryptocurrency exchanges. The objective was to gain access to the target’s environment and obtain key military program insight or steal money. Those efforts ceased in October 2017 but are ramping up again; and this time, the targeted emails are aimed at Bitcoin users and global financial organizations.

In mid-January, McAfee discovered a malicious document masquerading as a job recruitment ad for a “Business Development Executive” for a large, multinational bank located in Hong Kong. The document was distributed via a Dropbox account. When recipients open the malicious documents attached to the emails, they are persuaded to enable content through a notification claiming the document was created in an earlier version of Microsoft Word. The malicious documents then launch an implant on the recipients' system via a Visual Basic macro.

The malware scans for Bitcoin activity and then establishes a secondary implant for long-term data gathering. The interesting thing is that the implants have never before been seen, and indicate a newly sophisticated level of attack.

“This is the mark of a new campaign, though it utilizes techniques, tactics and procedures observed in 2017,” explained McAfee analyst Ryan Sherstobitoff in an analysis. “McAfee ATR analysis finds the dropped implants…have not been used in previous Lazarus campaigns from 2017. Furthermore, this campaign deploys a one-time data gathering implant that relies upon downloading a second stage to gain persistence.”

He added that there’s no indication that Lazarus won’t continue its efforts.

“Despite a short pause in similar operations, the Lazarus group targets cryptocurrency and financial organizations,” said Sherstobitoff. “Furthermore, we have observed an increased usage of limited data gathering modules to quickly identify targets for further attacks. This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans.”

What’s hot on Infosecurity Magazine?