Lazarus APT Group targets a London cryptocurrency company

Pierluigi Paganini December 15, 2017

Security experts from Secureworks revealed the Lazarus APT group launched a spearphishing campaign against a London cryptocurrency company.

The dreaded Lazarus APT group is back and launched a spearphishing campaign against a London cryptocurrency company to steal employee credentials.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.  Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

Many experts believe the WannaCry ransomware was developed by the Lazarus Group due to similarities in the attack codes. UK Government also linked the WannaCry attack that crippled NHS to North Korea.

Lazarus targets Bitcoin company

According to the experts at Secureworks, the Lazarus APT group is behind a targeted email campaign aiming to trick victims into clicking on a compromised link for a job opening for a chief financial officer role at a London cryptocurrency company.

“Those who clicked on the hiring link were infected by malicious code from an attached document in the email that installed software to take remote control of a victim’s device, allowing hackers to download further malware or steal data.” reported the Reuters.

“This malware shares technical links with former campaigns staged by the mysterious cybercrime group Lazarus, which Secureworks has labeled “Nickel Academy”. Secureworks did not say whether anyone who received the email actually clicked on the link.”

Researchers found many similarities between the TTPs (techniques, tactics, and procedures) observed in this attack and previous ones attributed to the Lazarus APT group.

“The so-called “spearphishing” attempt appears to have been delivered on October 25, but initial activity was observed by Secureworks researchers dating back to 2016. The researchers said in a statement they believe the efforts to steal credentials are still on-going.” reported the Reuters.

“Recent intrusions into several bitcoin exchanges in South Korea have been tentatively attributed to North Korea, it said.”

Secureworks found evidence dating back to 2013 of North Korean interest in bitcoin, when multiple states sponsored hackers used a collection of usernames originating from computers using North Korean internet addresses were found researching bitcoin.

The same internet addresses were linked to previous North Korean operations.

The researchers believe the Lazarus phishing campaign is still ongoing and is warning of potential effects.

“Given the current rise in bitcoin prices, CTU suspects that North Korea’s interest in cryptocurrency remains high and (it) is likely continuing its activities surrounding the cryptocurrency,” Secureworks said in a statement to Reuters.

Secureworks announced the publishing of a detailed report.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Lazarus APT, Bitcoin)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment