Blockchain & Cryptocurrency , Cryptocurrency Fraud , Cyberwarfare / Nation-State Attacks

Lazarus Group Uses Spear Phishing to Steal Cryptocurrency

F-Secure: North Korean Group Targeted Employee at Cryptocurrency Exchange
Lazarus Group Uses Spear Phishing to Steal Cryptocurrency
Lazarus Group used a fake message about a job that claims it's protected under GDPR and contains malicious macros. (Source: F-Secure)

The Lazarus Group, which has ties to the North Korean government, recently targeted an employee of a cryptocurrency exchange with a fake job offer in order to plant malware and steal virtual currency, according to security firm F-Secure.

See Also: M-Trends 2024: By the Numbers of Today's Top Cyber Threats & Attacker Operations

The attackers apparently stole a "substantial" amount of cryptocurrency from the targeted exchange as a result of the spear-phishing attack, the researchers say.

The Lazarus Group has been involved in several other thefts from banks and exchanges, including the theft of $81 million from Bangladesh Bank in 2016.

A 2019 United Nation's report estimated the group had stolen about $571 million in cryptocurrency between 2017 and 2018 by targeting five exchanges in Asia. Lazarus allegedly is providing money to the North Korean government, which is facing numerous economic sanctions (see: UN Report: N. Korea Targets Cryptocurrency Exchanges, Banks).

The recent attack against the unnamed cryptocurrency exchange is part of an ongoing campaign that started in 2018 and includes similar incidents in the U.S., China, U.K., Canada, Germany, Russia, South Korea, Argentina, Singapore, Hong Kong, Netherlands, Estonia, Japan and the Philippines, according to the report.

"It is F-Secure's assessment that the group will continue to target organizations within the cryptocurrency vertical while it remains such a profitable pursuit, but may also expand to target supply chain elements of the vertical to increase returns and longevity of the campaign," the report notes.

Fake Job Offer

In the latest Lazarus Group attack, the hackers targeted a specific systems administrator who worked for the exchange, according to the report. The employee received a message through a personal LinkedIn account that advertised a fake job at a blockchain firm. The skill set needed for the job matched those of the targeted system administrator, the researchers say.

This message sent through LinkedIn also matched other phishing emails previously used by Lazarus, some of which had been uploaded to VirusTotal, according to the report.

The LinkedIn message contained a Word document that was portrayed as having more information about the prospective job offering, but noted that it was “protected under the European Union's General Data Protection Regulation law.” The victim was asked to enable macros to view the full document, according to the report.

Once the macros were enabled, they started a chain reaction that eventually installed a VBScript within the compromised device that made connections to three command-and-control servers overseen by the hackers, according to the F-Secure report.

Malicious Tools

The researchers found that Lazarus can deploy a number of malicious tools within an infected device. These include two distinct backdoors that have previously been reported on by security firms Kaspersky and ESET.

Another malware variant used in conjunction with the backdoors gives the hackers the "capability to download additional files, decompress data in memory, initiate command-and-control communication, execute arbitrary commands and steal credentials from a number of sources," according to the report.

The hackers also used a customized version of Mimikatz to steal credentials. This malware variant has been used by other hackers to steal cryptocurrency wallets (see: Hacker Group Stole $200 Million From Cryptocurrency Exchanges).

To help avoid detection, the Lazarus Group hackers use PowerShell commands to disable security tools, such as Windows Defender, and then delete the malware once the operation is concluded.

"On all but a single host, which was powered off halfway through the intrusion and therefore unreachable, Lazarus Group was able to securely delete traces of any of the malware they employed as well as significant quantities of forensic evidence," according to the report.

Fake Jobs

Over the past month, other security researchers also have noted that the Lazarus Group, which is also referred to as Hidden Cobra, has used the promise of fake jobs as part of phishing campaigns.

Earlier this month, McAfee issued a report that found Lazarus was using fake job offers to target employees in the U.S. aerospace and defense industries. These attacks would then allow the hackers to gain greater access to corporate networks. Researchers at ClearSky issued a similar report about fake LinkedIn job advertisements tied to North Korean hackers.

"There is evidence in recent reporting of Lazarus Group leveraging similar techniques to those observed in this campaign, such as the preference of LinkedIn as a delivery medium, to compromise organizations in other verticals," according to the F-Secure report. "This is also supported by the evidence that Lazarus Group has re-used tooling across multiple campaigns."

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.