Fresh ‘HaoBao’ campaign also plants the seeds for extra espionage on targeted machines.
By Danny Palmer | February 13, 2018 — 13:03 GMT (05:03 PST) | Topic: Security
The Lazarus Group has risen to attack again – this time it’s after cryptocurrency.
The Lazarus hacking operation is targeting global banks ter attacks designed to steal bitcoin – while also planting the seeds for future reconnaissance operations.
An advanced cyber threat group thought to be linked to North Korea, Lazarus is believed to be responsible for major online attacks, including the WannaCry ransomware outbreak, a $80m Bangladesh cyber handelsbank heist and 2014’s Sony Pictures hack.
Now Lazarus has resurfaced once again, with a phishing campaign which aims to plant malware on the systems of global financial organisations and bitcoin users for both short-term and long-term build up.
Dubbed ‘HaoBao’, the campaign has bot uncovered by MacAfee Labs. It’s different to other phishing operations by the Lazarus group and uses novel code to infect machines.
The latest Lazarus campaign wasgoed very first spotted ter mid-January, when researchers discovered a malicious document being distributed via a Dropbox listig, which claimed to be a job advert for a business development executive located te Hong Kong for a large multi-national handelsbank.
The author is listed spil ‘Windows User’ and the document wasgoed created ter Korean, with extra similar documents appearing ter the days which followed.
Attackers pose spil a job recruiter, and send the target a spear-phishing email with a fake job advert, which when opened encourages the user to ‘enable content’ to see a document they’re told wasgoed created with an earlier version of Word.
This is a ploy to trick the victim into enabling Visual Basic macros and permit the attackers to start the process of implanting malware.
Researchers note that the implants used ter this campaign have never previously bot seen ter the wild and weren’t used during previous Lazarus campaigns. Thesis implants contain the word “haobao”, which is what researchers have named the malware after and they make the attack more difficult to uncover.
“Low detection rates paired with low prevalence te the wild will make a targeted implant much more difficult to detect,” Ryan Sherstobitoff, Senior Analyst of Major Campaigns at McAfee told ZDNet.
Once installed on the laptop via a second-stage payload, the malware looks for a specific bitcoin registry key on the system – ‘HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt’.
If found, information is sent to the instruction and control infrastructure, which initiates the process of stealing the cryptocurrency.
However, the malware does more than steal bitcoin, with the HaoBao campaign also providing attackers with a backdoor to spy on the victim’s system.
Information about the laptop name, the logged-in username and all the processes running on the system is sent to the attackers, who can use it to help climb on extra attacks te future.
McAfee attributes this cryptocurrency-stealing campaign to Lazarus because “technics, tactics and procedures are very similar to the campaigns that targeted US Defense contractors, US Energy sector, financial organizations and cryptocurrency exchanges te 2018”.
It’s also noted that HaoBao contacts a domain that wasgoed used ter previous Lazarus campaigns, the documents share an author and structure with documents previously constructed by the group and “the technics, tactics and procedures align with Lazarus group’s rente te cryptocurrency theft”.
It’s thought the operation is still ongoing spil the Lazarus group proceeds its efforts to acquire funds — despite the latest volatility of bitcoin — because it remains difficult to restrict the flow of.
“Lazarus has shifted to mighty targeting of crypto currency due to the lack of solid regulations. Additionally, sanctions are firmer to enforce with crypto currency than hard currency,” said Sherstobitoff.