Lazarus Group, an infamous North Korean hacker group, has been targeting employees at cryptocurrency firms with spearphishing attacks in order to steal Bitcoin, researchers have revealed.
Hackers belonging to the Lazarus Group are using the lure of a job opening for the CFO role at a cryptocurrency firm as part of their latest spearphishing campaign.
According to researchers at security firm Secureworks Counter Threat Unit™ (CTU), Lazarus Group has been known to be interested in Bitcoin since 2013 and researchers were able to track down their IP addresses that were used in several attacks on cryptocurrency firms.
The group’s latest operation is a spearphishing campaign that involves emails being sent to executives at several cryptocurrency firms about a vacant CFO position at a leading London-based cryptocurrency firm. Recipients are being asked to apply for the vacant CFO position but they are also asked to download Microsoft Word documents that are attached to the emails to read more about the job description, responsibilities and eligibility requirements.
According to the researchers, the said Microsoft Word attachments are embedded with malicious macros which create separate decoy documents when enabled. The macros then install first-stage Remote Access Trojans (RATs) inside victims’ computers using which the hackers download additional malware to facilitate their Bitcoin-stealing operation.
The researchers added that the job description mentioned in the malicious Word document is similar to the LinkedIn profile of a Chief Financial Officer of an actual cryptocurrency company in the Far East. It is possible that Lazarus Group hackers are trying to copy original documents in order to avoid typos and to avoid getting caught because of grammatical errors.
While looking into emails sent as part of the spearphishing campaign, the researchers found ‘common elements in the macro and in the first- stage RAT’ with former campaigns conducted by the Lazarus Group. They also ‘identified components in the custom C2 protocol being used (the way in which the malware talks to the Command and Control Servers) which they have seen utilized by [Lazarus Group] previously’. As such, the researchers have reasons to believe that the hacker group is indeed behind the recent operation.
‘Given the current rise in bitcoin prices, CTU suspects that the North Korea’s interest in cryptocurrency remains high and is likely continuing its activities surrounding the cryptocurrency,’ noted Secureworks.
‘A number of recent intrusion activities against several bitcoin exchanges in South Korea have been tentatively attributed to North Korea. CTU researchers assess that the North Korean threat against cryptocurrency will remain elevated in the foreseeable future,’ the firm added.
It is highly likely that employees at various cryptocurrency firms will click on emails offering job vacancies at prestigious firms and will unknowingly get victimised by the spearphishing operation. To ensure that such malicious campaigns do not succeed, the researchers are asking cryptocurrency firms to educate their employees about the latest threats and to ensure that no attachments are downloaded unless senders are verified.
At the same time, such firms need to implement Advanced Malware Protection and Detection solutions to isolate attachments before analysing them, disable macros in word documents coming from external sources and to implement two-factor authentication around all key systems.
‘Organisations need to deploy powerful solutions that utilise both humans and technology. By allowing those employees that are able to identify something that looks amiss to report it, and machine learning algorithms at the mailbox-level to continuously study every employee’s inbox to detect anomalies and communication habits based on a sophisticated user behavioural analysis, organisations can automate neutralising phishing campaigns, even removing them from other inboxes to avoid anyone accidentally tripping the malicious payload,’ says Eyal Benishti, CEO & Founder of IRONSCALES.
‘This can be done by augmenting the representation of senders inside the email client by learning true sender indicators and score sender reputation through visual cues and meta data associated with every email.
‘Automatic smart real-time email scanning should be integrated into multi anti-virus, and sandbox solutions so forensics can be performed on any suspicious emails either detected, or reported. The final facet is allowing quick reporting via an augmented email experience, thus helping the user make better decisions. These three, blended together can stop phishing messages hitting their target,’ he adds.
Even though Lazarus Group is known globally as an efficient and state-sponsored hacker group, it may not be the only North Korean cyber-criminal group to launch cyber-attacks on cryptocurrency exchanges and firms.
‘As sanctions bite further and North Korea becomes more desperate for foreign currency, they will get more aggressive and continue to come after the finance sector. They’re after our money,’ said Robert Hannigan, who retired in March this year after leading the GCHQ for three years, to The Times.
Speaking at the Reuters Cyber Security Summit in November, Dmitri Alperovitch, chief technology officer at CrowdStrike, said that hackers with links to North Korea have so far stolen hundreds of millions of dollars from global banks and may continue to launch sophisticated attacks on financial targets. ‘The difference between theft and destruction is often a few keystrokes,’ he warned.
‘With an army focused on the South, a navy that is limited in reach, and an air force oriented towards defense, North Korea’s main ways to threaten countries beyond its immediate borders are with missiles or with cyber intrusions,’ said Kelsey Atherton, a defence technology journalist.