Cybercriminals have plagued the crypto industry for several years, but not many of these attackers are as notorious as the North Korean Lazarus Group, an infamous group of hackers who are allegedly sponsored by the nation itself.
Recently, Finnish cyber-security firm F-Secure has discovered a new type of phishing attack that is supposedly targeting crypto businesses all around the globe. The firm states that the attacks are being executed by the Lazarus group.
“Our research, which included insights from our incident response, managed detection and response, and tactical defense units, found that this attack bears a number of similarities with known Lazarus Group activity, so we’re confident they were behind the incident,” said F-Secure Director of Detection and Response Matt Lawrence.
According to the report, the new phishing attack was conducted across several nations including the Netherlands, Singapore, Germany, Japan, the US, and the UK, and involved spearphishing via LinkedIn, by sending fake, tailored job offers to targets.
The attackers primarily targeted sysadmins of the particular companies and send a malware-infected Microsoft Word document.
Once a user tried to open the file, under the pretext of complying with the EU’s regulatory requirements, the document required users to enable macros to view the content of the documents.
When permission is granted, the malware in the macro code allowed the Lazarus group to gain control of the victim’s system and steal the information they need by bypassing corporate firewalls, and disabling antivirus software.
The hackers also hid their tracks by deleting any system logs that stored information about the malicious tools they used.
“Lazarus Group invested significant effort to evade the target organization’s defences during the attack, such as by disabling anti-virus software on the compromised hosts, and removing evidence of their malicious implants.”
So far there is no information regarding the damages that these attacks have dealt, but the firm warns that “this is part of an ongoing campaign”.
Attacks keep coming
As previously reported by The Daily Chain, another malware deployed by the Lazarus group dubbed AppleJeus was discovered earlier this year. The malware targeted memory instead of the Hard Drives and remained undetected.
Security firm Kaspersky labs even issued a warning at that time stating:
“We believe the Lazarus group’s continuous attacks for financial gain are unlikely to stop anytime soon. Since the initial appearance of Operation AppleJeus, we can see that over time the authors have changed their modus operandi considerably. We assume this kind of attack on cryptocurrency businesses will continue and become more sophisticated.”