Lazarus is back and targeting Bitcoin users
International cybercrime group Lazarus is back in action targeting Bitcoin users and global financial organisations, McAfee has warned.
In a blog post, McAfee security researchers have detailed a new aggressive Bitcoin-stealing phishing campaign by Lazarus that uses phishing emails and sophisticated malware to identify targets for further attacks.
The new campaign, dubbed HaoBao, bears the hallmarks of Lazarus’s previous attacks in 2017, but the new campaign targets Bitcoin users and global financial organisations.
The 2017 attacks targeted US Defense contractors, the US energy sector, financial organisations and cryptocurrency exchanges with phishing emails disguised as recruitment emails, containing malicious payloads designed to ultimately steal money or key military program insight.
In January, McAfee discovered a new campaign by the group designed to launch malicious implants into victims’ systems through a Visual Basic macro disguised in a malicious Word document.
The implant then scans a victim’s system for Bitcoin wallet software, collects information about the compromised system that could be used to assist an attack and sends this information to a command and control server.
While the techniques, tactics and procedures are very similar to the Lazarus campaigns from 2017 and the new attack contacts a domain that had been used to host a document from the previous campaigns, the implants themselves have never been seen before in the wild and were not used in the earlier campaigns.
“In this latest discovery by McAfee ATR, despite a short pause in similar operations, the Lazarus group targets cryptocurrency and financial organisations. Furthermore, we have observed an increased usage of limited data gathering modules to quickly identify targets for further attacks,” McAfee said.
In more bad news for the already struggling cryptocurrency sector, Italian coin exchange Bitgrail has admitted that attackers have compromised its website and stolen 17 million units of the Nano (XRB) cryptocurrency — worth around US$170 million ($216 million).
Webroot’s senior threat research analyst, Tyler Moffitt, said that while attacks on coin exchanges are becoming commonplace, this was a particularly egregious case.
Moffitt said the incidence underscores the importance of never storing large amounts of any cryptocurrency in an exchange.
“Make the trade and then get it out. If you aren’t in control of your private keys, then you aren’t in control of your crypto,” he said.
Total losses from scams reported to Australian government agencies grew to $340m in 2017, the...
Australia was the source of 57% of all cyber attacks in the APAC region during 2017, according to...
In collaboration with Data61, the Australian Digital Commerce Association and the NSW Government,...