The Lazarus group has now launched a new targeted attack against a crypto organization by exploiting the human element of the corporate chain.
According to cybersecurity researchers from F-Secure, the latest Lazarus attack was tracked through a LinkedIn job advert. A system administrator received a phishing document in their personal LinkedIn account that was related to a blockchain technology company looking for a new sysadmin with the employee’s skill set.
The phishing email is similar to Lazarus samples already made available on VirusTotal, including the same names, authors, and word count elements.
The Microsoft Word document claimed to be protected under the EU’s General Data Protection Regulation (GDPR), and so the document’s content could only be shown if macros were enabled.
Once permission is granted, the document’s macro created a .LNK file designed to execute a file called mshta.exe and call out a bit.ly link connected to a VBScript.
This script conducts system checks and sends operational information to a command-and-control (C2) server. The C2 provides a PowerShell script able to fetch Lazarus malware payloads.
The infection chain changes depending on system configuration and a range of tools are used by the threat actors. These include two backdoor implants similar to those already documented by Kaspersky (.PDF) and ESET.
Lazarus is also using a custom portable executable (PE) loader, loaded into the lsass.exe process as a ‘security’ package that modifies registry keys using the schtasks Windows utility.
Other malware variants used by Lazarus are able to execute arbitrary commands, decompress data in memory, as well as download and execute additional files. These samples, including a file called LSSVC.dll, were also used to connect backdoor implants to other target hosts.
Lazarus tried to avoid being detected by wiping evidence, including deleting security events and logs. However, it was still possible to get a few samples of the APT’s current toolkit to investigate the group’s current activities.
Lazarus is an advanced persistent threat (APT) group which was formed in 2007 and believed to be linked to North Korea. Researchers have attributed the group as responsible for the global WannaCry attack wave, the $80 million Bangladeshi bank heist, and the 2018 HaoBao Bitcoin-stealing campaign.
The researchers think that the group will continue to target organizations within the cryptocurrency vertical as it is profitable, but they may also expand to target supply chain elements of the vertical to increase returns and longevity of the campaign.
Head of Trust and Safety at LinkedIn, Paul Rockwell said that they always check for signs of state-sponsored activity on the platform and immediately take action against bad actors in order to protect their members. Their threat intelligence team removes fake accounts using information they gather and intelligence from a variety of sources, including government agencies. He stated that their team makes use of various automated technologies together with a trained team of reviewers and member reporting, to keep their members safe from all types of bad actors.
Image Credits : Bleeping Computer