Uncovered by Secureworks, the attacks have targeted employees at at least one London-based cryptocurrency company, in what researchers suggest is an attempt to steal bitcoin.
"Our inference based on previous activity is that this is the goal of the attack, particularly in light of recent reporting from other sources that North Korea has an increased focus on bitcoin and obtaining bitcoin," Rafe Pilling, senior security researcher at Secureworks told ZDNet.
Researchers note that North Korea has shown active interest in Bitcoin since at least 2013, with usernames and IP addresses in North Korea regularly linked to research into the cryptocurrency, as well as to criminal and espionage campaigns to acquire it.
The latest round of cyber attacks targets financial executives of cryptocurrency firms with a phishing email purporting to contain information about a Chief Financial Officer position.
The message contains a Microsoft Word attachment, which when opened tells the user they need to enable editing in order to see the document. If the user follows the instruction, it allows a hidden malicious macro to undertake the next stage of the attack.
This macro creates a separate decoy document containing the description for a fake CFO role at a European-based Bitcoin company - the decoy appears to be based on the LinkedIn profile of an actual CFO at a cryptocurrency firm in the Far East. Researchers note that the Lazarus Group has previously been known to copy and paste job descriptions from recruitment sites as part of previous campaigns.
While the user is looking at this document, a Remote Access Trojan is installed in the background, providing the attackers with full access to the victim's computer and allowing the attacker to download additional malware at any point.
Researchers say the malware used in this particular campaign looks to be a new form of trojan, potentially crafted for these attacks.
Nonetheless, the malware appears to share some elements with previous attacks by the Lazarus Group, such as relying on components of the C2 protocol to communicate with command and control servers. This has led to the Secureworks Counter Threat Unit attributing it to Lazarus and North Korea with "high confidence".
Pilling told ZDNet that the switch in focus to directly targeting cryptocurrency firms in an effort to steal bitcoin demonstrates a change in tactics for the Lazarus Group.
"The interesting thing here is that the technique and the tactics being used since last summer mark a change in the nature of the lure and the nature of the targeting. Previously, Lazarus used defence-themed lures to target defence organisations, but now they're using bitcoin-themed lures to target financial companies," he said.
Researchers are still investigating the scale of the campaign, but it's thought that the phishing emails started to be distributed in late October and that attacks are still ongoing.
In order to protect against falling victim to this type of phishing and malware distribution campaign, Secureworks recommends that training on social engineering is provided, macros in Word documents are disabled and two-factor authentication is implemented across key systems.