Similarities among malicious documents used in attacks on South Korea suggest there could be a link between attacks on cryptocurrency and banks in South Korea. AlienVault has discovered cyber-attacks on South Korea by the North Korea-linked Lazarus Group. The attack methods are similar in nature to recent attacks on banks and Bitcoin exchanges. By leveraging the Manuscrypt malware, Lazarus reportedly “communicates by impersonating South Korean forum software.”
The three samples analyzed by the AlienVault labs team appeared to be Hangul Word Processor (HPW) files, which is a South Korean document editor. The samples contained “malicious postscript code to download either a 32- or 64-bit version of the next stage.” According to Hybrid Analysis, the malicious document that mentions the G20 International Financial Architecture Working Group Meeting had – among other indicators – the ability to query CPU information and to register a top-level exception handler. Another document identified as malicious was a decoy resume.
Interestingly, the documents used in the recent hack of the South Korean cryptocurrency exchange also contained malicious HWP files and involved fake resumes. Bithumb is a major South Korean Bitcoin exchange that was hacked, with $30M in coins stolen.
“There were earlier reports of related malicious HWP documents from Lazarus targeting crypto-currency users in South Korea earlier this month. In that case, we noticed there are a number of crypto-currency phishing domains that are registered to the same phone number as a domain (itaddnet[.]com) used to deliver some of the malware,” AlienVault wrote.
Researchers suggested that criminals are not only delivering malware but also phishing for credentials, and if these attacks are connected to Lazarus, the group doesn’t show any signs of slowing down its activity. Lazarus is reportedly responsible for several attacks against banks, and the group has been collecting sizable payouts.
While it is tempting to want to connect all of the dots back to the Lazarus group, some evidence suggests otherwise. Other attacks reported earlier this month appeared to involve malicious HWP documents reportedly from Lazarus targeting cryptocurrency users in South Korea. However, domain registration is not typical activity for Lazarus.
“Normally they prefer to compromise legitimate websites. So this would be an unusual attack if it is indeed run by members of Lazarus,” researchers said.