Link Between Attacks on Cryptocurrency and Banks in South Korea
Malicious Documents Used in Cyber-Attacks
Recent cyber-attacks on South Korea by the North Korea-linked Lazarus Group have raised concerns about a potential link between attacks on cryptocurrency and banks in the country. AlienVault, a cybersecurity firm, has discovered similarities among the malicious documents used in these attacks, suggesting a common thread.
Attack Methods and Tactics
The attack methods employed by the Lazarus Group in South Korea are similar to recent attacks on banks and Bitcoin exchanges. By utilizing the Manuscrypt malware, Lazarus is able to communicate by impersonating South Korean forum software. The three samples analyzed by AlienVault labs team were found to be Hangul Word Processor (HWP) files, a popular South Korean document editor.
These malicious documents contained postscript code that would download a 32- or 64-bit version of the next stage of the attack. One of the documents mentioned the G20 International Financial Architecture Working Group Meeting and had the ability to query CPU information and register a top-level exception handler. Another document was disguised as a fake resume.
Similarities with Recent Cryptocurrency Exchange Hack
Interestingly, the documents used in the recent hack of the South Korean cryptocurrency exchange also involved malicious HWP files and fake resumes. Bithumb, a major South Korean Bitcoin exchange, was targeted in the attack, resulting in the theft of $30 million worth of coins.
AlienVault noted that there were earlier reports of related malicious HWP documents from Lazarus targeting cryptocurrency users in South Korea. The group appears to be not only delivering malware but also phishing for credentials, indicating a sophisticated and persistent threat.
Continued Activity by Lazarus Group
If these attacks are indeed connected to Lazarus, the group shows no signs of slowing down its activity. Lazarus has been responsible for several attacks against banks and has successfully collected sizable payouts from their malicious activities.
While there is evidence linking the recent attacks to Lazarus, some researchers have suggested that the group’s typical modus operandi may not align with the recent attacks. Lazarus usually prefers to compromise legitimate websites rather than engage in domain registration for malicious purposes.
Overall, the link between attacks on cryptocurrency and banks in South Korea raises concerns about the evolving tactics of cybercriminals and the need for increased vigilance in the face of these threats.