Lazarus hacking group rises again with new bitcoin-stealing cyberattacks against banks

New 'HaoBao' campaign also plants the seeds for additional espionage on targeted machines.
Written by Danny Palmer, Senior Writer

The Lazarus Group has risen to attack again - this time it's after cryptocurrency.

Image: iStock

The Lazarus hacking operation is targeting global banks in attacks designed to steal bitcoin - while also planting the seeds for future reconnaissance operations.

An advanced cyber threat group thought to be linked to North Korea, Lazarus is believed to be responsible for major online attacks, including the WannaCry ransomware outbreak, a $80m Bangladesh cyber bank heist and 2014's Sony Pictures hack.

Now Lazarus has resurfaced once again, with a phishing campaign which aims to plant malware on the systems of global financial organisations and bitcoin users for both short-term and long-term gain.

Dubbed 'HaoBao', the campaign has been uncovered by MacAfee Labs. It's different to other phishing operations by the Lazarus group and uses novel code to infect machines.

The latest Lazarus campaign was first spotted in mid-January, when researchers discovered a malicious document being distributed via a Dropbox link, which claimed to be a job advert for a business development executive located in Hong Kong for a large multi-national bank.

The author is listed as 'Windows User' and the document was created in Korean, with additional similar documents appearing in the days which followed.

Attackers pose as a job recruiter, and send the target a spear-phishing email with a fake job advert, which when opened encourages the user to 'enable content' to see a document they're told was created with an earlier version of Word.

This is a ploy to trick the victim into enabling Visual Basic macros and allow the attackers to begin the process of implanting malware.

See also: What is phishing? Everything you need to know to protect yourself from scam emails and more

Researchers note that the implants used in this campaign have never previously been seen in the wild and weren't used during previous Lazarus campaigns. These implants contain the word "haobao", which is what researchers have named the malware after and they make the attack more difficult to uncover.

"Low detection rates paired with low prevalence in the wild will make a targeted implant much more difficult to detect," Ryan Sherstobitoff, Senior Analyst of Major Campaigns at McAfee told ZDNet.

Once installed on the computer via a second-stage payload, the malware looks for a specific bitcoin registry key on the system - 'HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt'.

If found, information is sent to the command and control infrastructure, which initiates the process of stealing the cryptocurrency.

However, the malware does more than steal bitcoin, with the HaoBao campaign also providing attackers with a backdoor to spy on the victim's system.

Information about the computer name, the logged-in username and all the processes running on the system is sent to the attackers, who can use it to help mount additional attacks in future.

McAfee attributes this cryptocurrency-stealing campaign to Lazarus because "techniques, tactics and procedures are very similar to the campaigns that targeted US Defense contractors, US Energy sector, financial organizations and cryptocurrency exchanges in 2017".

It's also noted that HaoBao contacts a domain that was used in previous Lazarus campaigns, the documents share an author and structure with documents previously constructed by the group and "the techniques, tactics and procedures align with Lazarus group's interest in cryptocurrency theft".

It's thought the operation is still ongoing as the Lazarus group continues its efforts to acquire funds -- despite the recent volatility of bitcoin -- because it remains difficult to restrict the flow of.

"Lazarus has shifted to heavy targeting of crypto currency due to the lack of solid regulations. Additionally, sanctions are harder to enforce with crypto currency than hard currency," said Sherstobitoff.


Editorial standards