North Korea’s Lazarus targets cryptocurrency vertical

The Lazarus Group, the advanced persistent threat (APT) group aligned to the interests of the North Korean government, is orchestrating a cyber attack campaign against organisations working in the cryptocurrency vertical located in Germany, Japan, the Netherlands, Singapore, the UK and the US, according to new research by F-Secure.

Lazarus, which also goes by the name of APT38 and was behind the 2014 hack of Sony Pictures and the 2017 WannaCry incident, was fingered by F-Secure’s researchers during an incident response investigation conducted by the Finnish security firm at a victim. During this process, it found that the malicious implants used in the attack were virtually identical to other tools previously used by Lazarus.

“Our research, which included insights from our incident response, managed detection and response, and tactical defence units, found that this attack bears a number of similarities with known Lazarus Group activity, so we’re confident they were behind the incident,” said Matt Lawrence, F-Secure’s director of detection and response.

“The evidence also suggests this is part of an ongoing campaign targeting organisations in over a dozen countries, which makes the attribution important. Companies can use the report to familiarise themselves with this incident, the TTPs [tactics, techniques and procedures], and Lazarus Group in general, to help protect themselves from future attacks.”

In a newly published report, F-Secure set out details of the attack, which seems to begin with a convincing spear-phishing attack conducted via LinkedIn in the form of a fake job offer tailored to its target’s profile.

This phishing email was very similar to publicly available samples uploaded to VirusTotal, and contained a document that was supposedly protected by the General Data Protection Regulation (GDPR) and needed to be enabled in Microsoft Word to be accessed. Enabling this content resulted in the execution of malicious embedded macro code on the victim’s system.

The report goes on to detail the infection chain used in this particular campaign, as well as other TTPs used by Lazarus.

Lawrence warned that Lazarus was investing significant effort to evade the defences of its targets during the attack, for example disabling anti-virus software on compromised hosts and removing evidence of malicious implants.

This is not the first time Lazarus has been linked to attacks against cryptocurrency operators – which it probably perpetrates with the relatively simple agenda of stealing money to generate funds for the isolated, impoverished North Korean regime.

The group’s attention first turned to South Korean cryptocurrency exchanges in 2017, when it stole $7m from the Bithumb exchange. Subsequent research linked it to other spear-phishing campaigns against South Korean targets, as well as cryptomining.

F-Secure said Lazarus remained a continued threat and organisations in the cryptocurrency vertical should be particularly vigilant, although it also warned that the campaign may expand to target supply chain elements of the vertical, and some of the newer command and control (C2) infrastructure identified during the research suggests it may also be looking to target financial investment organisations.

Fortunately, the report added, Lazarus is reusing tooling that clearly works for its objectives across multiple campaigns, so it is relatively easy to detect. It suggested this may mean that the group lacks the capability to retool easily.