The IT security researchers at McAfee have discovered that the Lazarus Group aka Hidden Cobra is back in action busy targeting global banking giants and unsuspecting Bitcoin users with a new sophisticated phishing campaign.
Who is Lazarus Group
If you are not familiar with who Lazarus Group are; they are a group of well-trained cybercriminals who according to some media reports, operates from North Korea. The group first came in the news back in 2009 and 2012 by targeting South Korean government institution with large-scale distributed denial-of-service attack (DDoS) attacks.
However, in October 2017, the group made a comeback by conducting malware attacks on Bitcoin exchanges and wallets right after the Bitcoin’s price set a new record. Now after a brief break, the group is not only back but also targeting high-profile targets including global banks as well as Bitcoin users.
Tricking targets with job recruitment scam
Dubbed “HaoBao” by researchers at McAfee Advanced Threat Research (ATR), Lazarus Group is utilizing phishing emails posing as a Hong Kong-based job recruitment firm looking to hire a Business Development Executive for a large multi-national bank. In reality, the emails sent by the group contain a Dropbox link with a malicious Microsoft Word file which once clicked, asks victims to enable content. Once that is done, the file infects the device with a malicious macro that scans for cryptocurrency wallets and establishes an implant for long-term data-gathering.
Malicious Microsoft Word document
“Victims are persuaded to enable content through a notification claiming the document was created in an earlier version of Microsoft Word. The malicious documents then launch an implant on the victim’s system via a Visual Basic macro. The implant has the capability of gathering data from the victim’s system,” noted McAfee’s senior analyst Ryan Sherstobitoff.
This campaign is similar to the one the group conducted last year in which its targets were financial institutions, cryptocurrency exchanges, financial institutions and defense contractors while the group aimed at stealing money and military secrets. At that time, the group sent emails to victims claiming that a European based cryptocurrency firm is hiring for the position of Chief Financial Officer (CFO).
Stealing and sending data to command and control [C&C] server
Furthermore, McAfee researchers noted that the implant steals data from the targeted computer and sends it to and sent it to command and control [C&C] server including computer name, currently logged on user’s name, list of all processes currently running on and presence of a specific registry key on the system.
“In this latest discovery by McAfee ATR, despite a short pause in similar operations, the Lazarus group targets cryptocurrency and financial organizations. Furthermore, we have observed an increased usage of limited data gathering modules to quickly identify targets for further attacks. This campaign is tailored to identifying those who are running Bitcoin-related software through specific system scans,” Sherstobitoff explained.”
Beware of phishing scams
Lazarus Group is out there for the money and its targets include large-scale banking giants to unsuspecting cryptocurrency investors looking to make money the right way and you can be one of their very next victims. Therefore, beware of growing and persistent phishing scams leading to malware infecting and stealing of your data.
Recently, FBI warned users that cybercriminals have been posing as officials from Internet Crime Complaint Center and sending emails to users about the crime they did not commit since the sole purpose of it is to infect their computers with malware to steal data.
Moreover, a number of cryptocurrencies have lost millions of dollars lately due to highly sophisticated phishing campaigns indicating that it is time for users to look out for themselves, do not download/click attachments coming from an unknown email. Also, scan each and every file that you download on your anti-virus – anti-malware software or VirusTotal.
Image credit: DepositPhotos
