Lazarus is back and targeting Bitcoin users
International cybercrime group Lazarus is back in action targeting Bitcoin users and global financial organisations, McAfee has warned.
In a blog post, McAfee security researchers have detailed a new aggressive Bitcoin-stealing phishing campaign by Lazarus that uses phishing emails and sophisticated malware to identify targets for further attacks.
The new campaign, dubbed HaoBao, bears the hallmarks of Lazarus’s previous attacks in 2017, but the new campaign targets Bitcoin users and global financial organisations.
The 2017 attacks targeted US Defense contractors, the US energy sector, financial organisations and cryptocurrency exchanges with phishing emails disguised as recruitment emails, containing malicious payloads designed to ultimately steal money or key military program insight.
In January, McAfee discovered a new campaign by the group designed to launch malicious implants into victims’ systems through a Visual Basic macro disguised in a malicious Word document.
The implant then scans a victim’s system for Bitcoin wallet software, collects information about the compromised system that could be used to assist an attack and sends this information to a command and control server.
While the techniques, tactics and procedures are very similar to the Lazarus campaigns from 2017 and the new attack contacts a domain that had been used to host a document from the previous campaigns, the implants themselves have never been seen before in the wild and were not used in the earlier campaigns.
“In this latest discovery by McAfee ATR, despite a short pause in similar operations, the Lazarus group targets cryptocurrency and financial organisations. Furthermore, we have observed an increased usage of limited data gathering modules to quickly identify targets for further attacks,” McAfee said.
In more bad news for the already struggling cryptocurrency sector, Italian coin exchange Bitgrail has admitted that attackers have compromised its website and stolen 17 million units of the Nano (XRB) cryptocurrency — worth around US$170 million ($216 million).
Webroot’s senior threat research analyst, Tyler Moffitt, said that while attacks on coin exchanges are becoming commonplace, this was a particularly egregious case.
“Most hacks are performed by stealing the private keys to the addresses that were not secure enough, but this case was even worse. When withdrawing XRB from the Bitgrail exchange, the checks for your balance withdraw are only client side JavaScript,” he said.
“This allows anyone to edit their own JavaScript to say they have enough XRB to withdraw — even very large amounts. This gaping security hole was abused quickly to drain the exchange of the entire balance of XRB.”
Moffitt said the incidence underscores the importance of never storing large amounts of any cryptocurrency in an exchange.
“Make the trade and then get it out. If you aren’t in control of your private keys, then you aren’t in control of your crypto,” he said.
Secure-by-design software development for digital innovation
The rise of DevSecOps methodologies and developments in AI offers every business the opportunity...
Bolstering AI-powered cybersecurity in the face of increasing threats
The escalation of complex cyber risks is becoming a pressing issue for those in business...
How attackers are weaponising GenAI through data poisoning and manipulation
The possibility for shared large language models to be manipulated through data poisoning...
