Anti-Malware , Anti-Phishing, DMARC , Endpoint Security

Lazarus Hackers Phish For Bitcoins, Researchers Warn

Bitcoin Exchange Job Lure Traces to Hackers Tied to North Korea
Lazarus Hackers Phish For Bitcoins, Researchers Warn
Fake job lures lead to malicious macros. (Source: Secureworks CTU)

Bitcoin-seeking hackers are using old-school tricks to socially engineer would-be cryptocurrency exchange executives, researchers warn.

An attack group tied to North Korea has "launched a malicious spear-phishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company," researchers at Secureworks Counter Threat Unit warn in a report.

The CTU researchers refer to the group behind the attack as "Nickel Academy," although it is perhaps better known as the Lazarus Group (see Kaspersky Links North Korean IP Address to Lazarus ).

The group has been tied to numerous attacks, including the attempted theft of nearly $1 billion from the central bank of Bangladesh's New York Federal Reserve account, leading to $81 million being stolen; the WannaCry ransomware outbreak in May; as well as the use of cryptocurrency mining malware named Adylkuzz to attack the same flaw in Windows server block messaging that WannaCry also targeted (see Cybercriminals Go Cryptocurrency Crazy: 9 Factors).

Fake Job Lure

Security researchers say Lazarus has also been running a series of job lure phishing attacks since at least 2016, with the latest round being delivered around Oct. 25 of this year. The malicious code has "solid technical linkages" to attacks previously attributed to Lazarus, CTU says (see Report: North Korea Seeks Bitcoins to Bypass Sanctions).

Researchers at Israeli cybersecurity startup Intezer also believe the code has been reused by Lazarus, based on a review of attack code that's been seen in the wild since 2014.

Fake job lure tied to the Lazarus phishing campaign. (Source: Intezo)

The fake job advertisement pretends to be for Luno, a bitcoin wallet software and cryptocurrency exchange based in London, according to an analysis of the phishing messages published Tuesday by Jay Rosenberg, a senior security researcher at Intezer.

Luno says it's been alerted to the fake emails bearing its name. "We're aware of this issue and are investigating thoroughly," Luno tells ISMG.

If recipients of the latest CFO job lure phishing emails open an attached Microsoft Word document, it triggers a pop-up message inviting them to enable editing functions. The CTU researchers say this is an attempt to enable macros in Word, so that a malicious macro hidden inside the document can execute. If it does, the macro creates a decoy document - the fake CFO job lure - as well as installs a first-stage remote access Trojan RAT in the background. Once the RAT is running on the victim's PC, attackers can use it to install additional malware onto the system, such as keystroke loggers and password stealers (see Hello! Can You Please Enable Macros?).

Pop-up generated by a malicious Microsoft Word document attached to emails sent as part of the fake CFO job lure phishing campaign tied to Lazarus. The Word attachment, which includes malicious macros, attempts to trick recipients into enabling macro functionality in Microsoft Office, which is disabled by default because of the risk it poses to users. (Source: Secureworks CTU)

The CTU researchers say the job listing appears to have been stolen from a legitimate CFO job listing posted to LinkedIn by a cryptocurrency firm in Asia. While the researchers say that Lazarus has done this previously, unusually in this case, some typographical errors in the original listing were expunged. The researchers add that this phishing campaign does not appear to target any specific firm or individual, but rather to be more broadly aimed.

"There are common elements in the macro and in the first-stage RAT used in this campaign with former campaigns," the researchers write. The custom command-and-control network code that controls infected endpoints also includes components that were seen in previous attacks tied to Lazarus, they add.

Skyrocketing Interest in Bitcoins

The ease of hacking bitcoins, the pseudonymity it offers, as well as the skyrocketing value of the cryptocurrency has led many cybercrime groups to focus on bitcoin theft.

"There are at least four very advanced threat actor groups who have been attacking banks in recent years, and about a month ago, they just dropped their activities and moved over to bitcoin hacking," Avivah Litan, vice president and distinguished analyst at Gartner Research, tells Information Security Media Group, citing information she's received from threat intelligence researchers.

Those groups include hacking teams tied to Russian organized crime syndicates as well as North Korea, especially in light of sanctions being imposed on both countries, says Tom Kellermann, CEO at cybersecurity venture capital firm Strategic Cyber Ventures. "Economic sanctions in the real world are being offset by cyberattacks," he says.

By some estimates, one-third of cash-strapped North Korea's gross domestic product may come from hacking.

"It is a fact that North Korea has been attacking virtual currency exchanges," Lee Dong-geun, a director with South Korea's state-run Korea Internet and Security Agency, tells CNN. "We don't know how much North Korea has stolen so far, but we do know that the police have confirmed the regime's hacking attempts."

Given bitcoin's popularity with investors in the United States - among other countries - it might seem ironic that the majority of Americans don't know the location of North Korea, according to Conrad Hackett, a senior demographer and associate director at Pew Research Center, a nonpartisan U.S. think tank in Washington.

But online attacks know no boundaries. And hack attempts need not be launched by nation states to be effective.

"We like worrying about nation-state attacks, like the Mirai botnet," Brian Honan, head of cybersecurity firm BH Consulting in Dublin, tells ISMG. "When that came out, people said it was Iran or North Korea exercising their cyber weapons."

But many of the Mirai botnet attacks seen to date were allegedly launched by the likes of U.S. college students and a man also accused of developing and selling RATs on cybercrime forums (see Mirai Malware Attacker Extradited From Germany to UK).

Essential Phishing Defenses

Regardless of who's launching phishing campaigns or targeting individuals' cryptocurrency holdings, the CTU researchers say the CFO job lure campaign is a reminder to all email users - and especially cryptocurrency firms - to take several security steps.

  • Social engineering training: Train and remind employees to never open attachments or links from unknown sources, and to verify all apparently trusted senders' identities before opening anything they have sent.
  • Sandbox: Use anti-malware tools that will sandbox all email attachments and web links and attempt to assess whether or not they are malicious before allowing users to interact with them.
  • And even if they do know the sender, verify with the sender before opening.
  • Disable macros: By default, Microsoft Office disables all macro functionality. Leave it that way, security experts say.
  • Two factors: Implement two-factor authentication on all key systems to help blunt successful phishing attacks that lead to credential theft.

While all users should keep those information security basics in mind, as bitcoin's value continues to soar, it's a sure bet that anyone who dabbles in cryptocurrency will be at increasing risk from attackers.

***

This story has been updated to include findings published by Intezer, and comment from Luno.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.