Prominent North Korean hacker group Lazarus has renewed a phishing campaign that it launched last year, but instead of injecting malware to gain access to enterprise IT environments, the group is now injecting implants to systems to identify those who are running Bitcoin-related software.
The new operation by Lazarus, dubbed "HaoBao" by researchers at McAfee Advanced Threat Research, not only includes existing phishing tactics but also targets Bitcoin users and global financial organisations. Malware injected by hackers into victims' systems initially scan for Bitcoin activity and then establish implants for long-term data-gathering.
Last year, Lazarus group targeted employees at various financial institutions, defence contractors and cryptocurrency firms with phishing emails. The emails were drafted to make them appear as if they were sent by recruiters and contained job descriptions similar to the victims' professions, and harboured malicious codes that enabled the group to obtain key military programme insight or to steal money from enterprises and individuals.
The campaign went on until October last year before resurfacing again in January. However, emails sent to unsuspecting victims as part of the fresh campaign also contain malicious documents masquerading as job recruitment notices.
"Victims are persuaded to enable content through a notification claiming the document was created in an earlier version of Microsoft Word. The malicious documents then launch an implant on the victim's system via a Visual Basic macro. The implant has the capability of gathering data from the victim's system," the researchers noted.
They added that the implant can gather data such as computer name, currently logged on user's name, list of all processes currently running on the system, and the presence of a specific registry key on the system. This is the first time that Lazarus Group has used implants to inject enterprise systems and to monitor cryptocurrency traffic.
"In this latest discovery by McAfee ATR, despite a short pause in similar operations, the Lazarus group targets cryptocurrency and financial organisations. Furthermore, we have observed an increased usage of limited data gathering modules to quickly identify targets for further attacks. This campaign is tailored to identifying those who are running Bitcoin-related software through specific system scans," the researchers concluded.
In an email to SC Magazine UK, Trevor Reschke, head of threat intelligence at Trusted Knight, said: "This new campaign follows a classic evolution of cyber-criminal group capabilities to mass market crimeware, but the timing might raise some eyebrows due to the political ramifications during the Olympics."
He added that while it is difficult to directly connect the new phishing campaign with hackers based in North Korea, the latter would gladly take credit for the operation as the same would make the rest of the world believe that "they have a seat at the table in world cyber-capabilities."
"The new 'espionage' capability seen in this version is not a new technique, rather something commonly found in state-sponsored malware and general everyday crimeware to acquire user files for expanded fraud. As with other "Lazarus group" attributed large-scale attacks, there may be a blunder as the campaign progresses, leading to a short circuit," he said.