The North Korea-based Lazarus hacking group is now targeting individuals and banking institutions with bitcoin stealing and phishing campaigns. The new cyber attack was discovered by analysts at McAfee Advanced Threat Research (ATR). As revealed by the company in a post on its website, the phishing attack is targeted towards bitcoin users and uses a sophisticated malicious document for accessing data.
Haobao, but Probably Lazarus
Lazarus, the cybercrime group, suspected to be behind the WannaCry ransomware attacks in 2017, has resumed its phishing emails again, targeting individuals with fake employee recruitment openings in an infected word document link in the email. When unsuspecting victims open this link, it redirects to a Dropbox webpage hosting the word file, thereby tricking the user into downloading the malware.
This ambitious cybercrime campaign has been dubbed as “Haobao” wherein the malware file, after being downloaded, starts scanning for any bitcoin or cryptocurrency related activity. Once this malware infects the target, it begins collecting all sorts of data and sends it back to remote servers.
The recent cyber attack attempt by Lazarus came to light when an infected malicious link containing the document was discovered by McAfee Advanced Threat Research (ATR) analysts on January 15, 2018.
Upon further analysis, it was revealed that the file was edited and uploaded by an author who went by the inconspicuous name, “Windows User.” McAfee has shown that several more infected files were created and uploaded to the link by the same author between January 16 and January 24, 2018. This attack aims to identify victims running Bitcoin-related software through specific system scans.
As stated by McAfee in its official blog, after downloading the infected file:
“Victims are persuaded to enable content through a notification claiming the document was created in an earlier version of Microsoft Word. The malicious documents then launch an implant on the victim’s system via a Visual Basic macro.”
Furthermore, it has been found that the infected link also establishes a contact with the same IP address that had been previously used by Lazarus to host a different malicious document in 2017. That corrupted document was authored by the same username and has become somewhat of a norm since the past few cyber attacks by the hacking group.
While the campaign has been dubbed Haobao for now, it is consistent with Lazarus’ interest in cryptocurrency thefts. Lazarus has employed the same technique, that is, a similar document structure and job recruitment advertorials in previous phishing attacks.
In early January 2018, Marko Kobal, co-founder of NiceHash, a startup serving as a marketplace for cryptocurrency mining, resigned from his role as CEO. The announcement came in the wake of a high profile cyber attack targeting NiceHash, resulting in a loss amounting to thousands of bitcoins.
On December 12, 2017, a major cryptocurrency exchange Bitfinex, crashed amidst reports of a hack. A week before that, Bitfinex had already reported that they were a victim of a distributed denial of service attack that resulted in a temporary halt of its trading platform.