McAfee Advanced Threat Research (ATR) examiners have found a forceful Bitcoin-taking phishing effort by the universal cybercrime assemble Lazarus that utilizations modern malware with long-haul affect.The Lazarus group targets cryptocurrency and financial organizations. they are increased use of limited data gathering modules to quickly identify targets for further attacks. This campaign is tailored to identifying those who are running Bitcoin-related software through specific system scans.
This crusade conveys a one-time information gathering insert that depends upon downloading a moment stage to pick up constancy. The inserts contain a hardcoded word "haobao" that is utilized as a change when executing the Visual Basic full scale.
Beginning in 2017, the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents. The campaign lasted from April to October and used job descriptions relevant to target organizations, in both English and Korean language.
The objective was to gain access to the target’s environment and obtain key military program insight or steal money. The 2017 campaign targets ranged from defense contractors to financial institutions, including cryptocurrency exchanges, however; much of this fake job recruitment activity ceased months later, with the last activity observed October 22, 2017.
McAfee Advanced Threat research determines with confidence that Lazarus is the threat group behind this attack for the following reasons:
- Contacts an IP address/domain that was used to host a malicious document from a Lazarus previous campaign in 2017
- The same author appeared in these recent malicious documents that also appeared back in Lazarus 2017 campaigns
- Uses the same malicious document structure and similar job recruitment ads as what we observed in past Lazarus campaigns
- The techniques, tactics, and procedures align with Lazarus group’s interest in cryptocurrency theft
No comments:
Post a Comment