Lazarus is back and targeting Bitcoin users

By Dylan Bushell-Embling
Tuesday, 13 February, 2018

Lazarus is back and targeting Bitcoin users

International cybercrime group Lazarus is back in action targeting Bitcoin users and global financial organisations, McAfee has warned.

In a blog post, McAfee security researchers have detailed a new aggressive Bitcoin-stealing phishing campaign by Lazarus that uses phishing emails and sophisticated malware to identify targets for further attacks.

The new campaign, dubbed HaoBao, bears the hallmarks of Lazarus’s previous attacks in 2017, but the new campaign targets Bitcoin users and global financial organisations.

The 2017 attacks targeted US Defense contractors, the US energy sector, financial organisations and cryptocurrency exchanges with phishing emails disguised as recruitment emails, containing malicious payloads designed to ultimately steal money or key military program insight.

In January, McAfee discovered a new campaign by the group designed to launch malicious implants into victims’ systems through a Visual Basic macro disguised in a malicious Word document.

The implant then scans a victim’s system for Bitcoin wallet software, collects information about the compromised system that could be used to assist an attack and sends this information to a command and control server.

While the techniques, tactics and procedures are very similar to the Lazarus campaigns from 2017 and the new attack contacts a domain that had been used to host a document from the previous campaigns, the implants themselves have never been seen before in the wild and were not used in the earlier campaigns.

“In this latest discovery by McAfee ATR, despite a short pause in similar operations, the Lazarus group targets cryptocurrency and financial organisations. Furthermore, we have observed an increased usage of limited data gathering modules to quickly identify targets for further attacks,” McAfee said.

In more bad news for the already struggling cryptocurrency sector, Italian coin exchange Bitgrail has admitted that attackers have compromised its website and stolen 17 million units of the Nano (XRB) cryptocurrency — worth around US$170 million ($216 million).

Webroot’s senior threat research analyst, Tyler Moffitt, said that while attacks on coin exchanges are becoming commonplace, this was a particularly egregious case.

“Most hacks are performed by stealing the private keys to the addresses that were not secure enough, but this case was even worse. When withdrawing XRB from the Bitgrail exchange, the checks for your balance withdraw are only client side JavaScript,” he said.

“This allows anyone to edit their own JavaScript to say they have enough XRB to withdraw — even very large amounts. This gaping security hole was abused quickly to drain the exchange of the entire balance of XRB.”

Moffitt said the incidence underscores the importance of never storing large amounts of any cryptocurrency in an exchange.

“Make the trade and then get it out. If you aren’t in control of your private keys, then you aren’t in control of your crypto,” he said.

Image credit: ©

Follow us and share on Twitter and Facebook

Related Articles

Australians lost $340m to scammers in 2017

Total losses from scams reported to Australian government agencies grew to $340m in 2017, the...

Education sector most attacked in Australia

Australia was the source of 57% of all cyber attacks in the APAC region during 2017, according to...

Australian blockchain leaders showcase at Consensus

In collaboration with Data61, the Australian Digital Commerce Association and the NSW Government,...

  • All content Copyright © 2018 Westwick-Farrow Pty Ltd