Lazarus Group, the North Korean hacking group responsible for WannaCry ransomware attack last year, is back again with a new campaign targeting crypto currency and financial organizations.
The new campaign, dubbed HaoBao, has been discovered by cybersecurity researchers at McAfee. From April to October 2017, the Lazarus Group posed as Hong-Kong based job recruiters and targeted individuals with malicious emails in English and Korean language. Using these malicious emails, Lazarus accessed the environment of victims, and obtained insights to key programs.
Now, the hacking group is using its phishing-emails-experience to attack bitcoin users and global banks. They send the emails with a Dropbox link attached to them.
This Dropbox link contains malicious payloads, present in the document as encrypted string arrays. When auser click on the link, the payloads are decrypted in memory, written to disk and launched in sequence.
Simply said, if the user clicks the link, a malware is installed on the system which scans the computer for cryptocurrency activity. In case, some activity is detected, it establishes a secondary implant to gather data for long-term.
“The dropped implants have never been seen before in the wild and have not been used in previous Lazarus campaigns from 2017. Furthermore, this campaign deploys a one-time data gathering implant that relies upon downloading a second stage to gain persistence. The implants contain a hardcoded word “haobao” that is used as a switch when executing from the Visual Basic macro,” wrote Ryan Sherstobitoff, McAfee Analyst in a blog post.
The attached documents in the emails had the last author named ‘Windows User’, and it was created using Korean language resources on January 16th. McAfee noted that a few more documents with the same author appeared between January 16 to January 24, 2018.
Lazarus has a history of malicious activities and cybercrimes. Along with the WannaCry ransomware attack that crippled banks, hospitals and other business in May last year, Lazarus Group is also said to be involved in hacking Sony Corporation in 2014.