Cybertheft gang “Lazarus” is at it again: cryptocurrency users and global banks are at risk

McAfee has discovered a new, more sophisticated strain of malware that seeks out cryptocurrency activity.

McAfee Advanced Threat Research (McAfee ATR) has posted that a new, more sophisticated strain of malware has been discovered. This time the malware is far more patient, and far more deadly. And this time it’s looking for bigger fish to catch: Bitcoin users and global banks. It scans for Bitcoin activity and implants itself for long-term data gathering.

According to McAfee ATR, the malware comes from the Lazarus Group, the same notorious cybertheft gang known for the infamous WannaCry ransomware which freezes a user’s computer and threatens to either wipe out its contents or disperse incriminating or humiliating files from the computer unless the owner pays a hefty ransom, usually in bitcoin. The group is also believed to be behind several big-time cryptoheists, as well as multi-million dollar cyberheists instigated against Southeast Asian and European banks.

McAfee ATR says that this new malware is a descendant of last month’s phishing email campaign, where a seemingly innocuous Word document containing details of a fake job recruitment is circulated in an attempt to trick users into opening the document.

Cybertheft group Lazarus is at it again
The malicious document tricks users into enabling content by saying the document was made using an earlier version of MS Word, which then unleashes the malware into the victim’s computer.

But the new malware called HaoBao, however, seems to be taking cryptocurrency crime to unprecedented sophistication—its implant is a new breed that was not present in previous Lazarus campaigns.

“McAfee ATR analysis finds the dropped implants have never been seen before in the wild and have not been used in previous Lazarus campaigns from 2017,” Ryan Sherstobitoff wrote for McAfee ATR. “Furthermore, this campaign deploys a one-time data gathering implant that relies upon downloading a second stage to gain persistence. The implants contain a hardcoded word “haobao” that is used as a switch when executing from the Visual Basic macro.”

Cybertheft group Lazarus is at it again
How the Haobao works. Source: McAfee

Despite being only a few years old (as far as we know), the Lazarus Group has been rapidly adding several infamously devastating cyber attacks to their portfolio. Global cybersecurity company Kaspersky Lab has been hunting down Lazarus over the past years since their presence came to light in 2016—they attempted to rob $851 million and managed to run off with $81 million. Kaspersky Lab has been monitoring their modus operandi, and says over 150 malware samples have been attributed to the notorious gang.

Note: Tokens in the SegWit chain are referred to as SegWit1X (BTC) and SegWit Gold (SWG) and are no longer Bitcoin. Bitcoin Cash (BCH) is the only true  Bitcoin as intended by the original Satoshi white paper.  Bitcoin BCH is the only public block chain that offers safe and cheap microtransactions.

South Korea pins 2017 crypto theft on North’s hackers

Despite being set back by heavy regulation and privacy fines from its government, South Korean exchanges continue to operate and accommodate the increasing number of cryptocurrency users in the country. In Reuters report, South Korean intelligence officials accused North Korean hackers of infiltrating its exchanges and stealing cryptocurrency worth billions of won in 2017.

Kim Byung-kee, member of South Korea’s parliamentary intelligence committee, was quoted saying, “North Korea sent emails that could hack into cryptocurrency exchanges and their customers’ private information and stole (cryptocurrency) worth billions of won.” The government official did not disclose which South Korean exchanges were hacked.

With the rise of digital currency initiatives around the world, North Korea has been reported to have been covertly developing and mining a rival cryptocurrency in a bid to bolster its economy with the technology amid heavy international sanctions. According to the South Korean government’s intelligence agency, North Korea has continued to engage in related cybercrime attacks, with mounting evidence pointing to a specific unit called “Lazarus.”

North Korea’s offensives in cyberspace is escalating, according to cybersecurity experts. Information security firm Recorded Future said North Korea has engaged in hacking offensives in late 2017 right before the North-South dialogue began.

The backdoor malware employed in the exchange attacks were used against Sony Pictures Entertainment (2014) and the first WannaCry ransomware victims in February 2017. The hacking unit responsible for these methods has been identified as the “Lazarus” group, after affinities in code execution and malware infrastructure were noted to be indicative of a certain manner of intrusion.

The group has also been identified by security firm Symantec as the unit responsible for other financially-related cybercrimes, linking it to an attack to a bank in the Philippines in 2016, a theft of at least $81 million from the Bangladesh central bank, as well as an attempt to steal over a million U.S. dollars from Vietnam’s Tien Phong Bank in 2015.

Kim said the Lazarus group primarily used phishing campaigns to propagate its malware, socially engineering its targets and luring them into its propaganda. The campaigns specifically targeted South Korean college students interested in foreign affairs, or other South Korean citizens researching about North Korea’s history and politics.

In an analysis by infosec research firm AlienVault, an app compiled on the Christmas Eve of 2017 was found to be an installer for cryptocurrency mining software. The application mined Monero and sent all of its profits to Kim Il Sung University in Pyongyang, North Korea. AlienVault notes that the file is likely based on software called xmrig, adding that the app’s internal password indicated as “KJU” might be a possible reference to Kim Jong-un, North Korea’s leader since 2011.

In a tweet by Simon Choi, director of South Korean security solutions company Hauri, a zero-day vulnerability based on Adobe’s Flash Player was found to be hidden in the infected files. The vulnerability is present in Adobe Flash versions 28.0.0.137 and earlier. The flaw allows attackers to perform remote code execution on most operating systems. Here’s a hash of the incident response  for full reference.

With these threats posing risks for South Korean cryptocurrency investors and exchanges, Kim said the government was “doing its best” to protect the interests of its people. As security flaws are continually discovered by researchers and security analysts, threats like North Korea’s Lazarus hacking unit will continue to exploit and steal from different cryptocurrency exchanges. For users of leading cryptocurrencies like Bitcoin Cash, it’s best to adhere to best practices in crypto security such as making use of hardware wallets that support Bitcoin Cash, keeping up-to-date with standard address formats, and actively monitoring where funds originate from and where they go.

Note: Tokens in the SegWit chain are referred to as SegWit1X (BTC) and SegWit Gold (SWG) and are no longer Bitcoin. Bitcoin Cash (BCH) is the only true  Bitcoin as intended by the original Satoshi white paper.  Bitcoin BCH is the only public block chain that offers safe and cheap microtransactions.