McAfee Uncovers Aggressive Bitcoin-Stealing Phishing Campaign by Lazarus Group
An aggressive Bitcoin-stealing phishing campaign mounted by the international cybercrime group Lazarus and using sophisticated, brand-new malware has been uncovered by McAfee Advanced Threat Research (ATR) analysts.
The Campaign Details
The campaign, dubbed HaoBao, is a continuation of Lazarus’ previous phishing email efforts targeting US defense contractors, the energy sector, financial institutions, and cryptocurrency exchanges. The objective of the campaign is to gain access to the target’s environment and obtain key military program insight or steal money. The latest targeted emails are aimed at Bitcoin users and global financial organizations.
In mid-January, McAfee discovered a malicious document masquerading as a job recruitment ad for a “Business Development Executive” for a large, multinational bank located in Hong Kong. The document was distributed via a Dropbox account. When recipients open the malicious documents attached to the emails, they are persuaded to enable content through a notification claiming the document was created in an earlier version of Microsoft Word. The malicious documents then launch an implant on the recipients’ system via a Visual Basic macro.
Sophisticated Malware
The malware used in this campaign scans for Bitcoin activity and establishes a secondary implant for long-term data gathering. The implants used in this campaign have never been seen before, indicating a newly sophisticated level of attack.
McAfee analyst Ryan Sherstobitoff stated, “This is the mark of a new campaign, though it utilizes techniques, tactics and procedures observed in 2017. McAfee ATR analysis finds the dropped implants have not been used in previous Lazarus campaigns from 2017. Furthermore, this campaign deploys a one-time data gathering implant that relies upon downloading a second stage to gain persistence.”
Continued Threat
There is no indication that Lazarus Group won’t continue its efforts. Sherstobitoff mentioned, “Despite a short pause in similar operations, the Lazarus group targets cryptocurrency and financial organizations. Furthermore, we have observed an increased usage of limited data gathering modules to quickly identify targets for further attacks. This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans.”
The discovery of this aggressive Bitcoin-stealing phishing campaign highlights the need for heightened cybersecurity measures within the cryptocurrency and financial industries to protect against sophisticated cyber threats.