A clever spearphishing campaign linked to North Korea has been taking advantage of a surge in public interest surrounding cryptocurrencies, like bitcoin, in order to spread malware to people interested or involved in the budding industry, according to new research from at least three different cybersecurity firms.
The campaign appears to be carried out by a hacking group known as the “Lazarus Group,” which researchers have linked to North Korea in previous attacks, such as the 2014 Sony breach, an $81 million Bangladesh cyber heist in 2016 and the WannaCry worldwide ransomware attack in May.
This scam focuses on convincing victims to download a Microsoft Word document that masquerades as a job posting for a position at a British cryptocurrency company. Once downloaded, the document prompts the user to “enable editing” and “enable content functions.” If the victim enables the prompt, a macro installs a backdoor that allows the attackers to install more malware at any time, according to cybersecurity company SecureWorks, a subsidiary of Dell.
Joshua Chung, a researcher for SecureWorks Counter Threat Unit (CTU) told CyberScoop that there isn’t enough information to narrow down who exactly is being targeted, but that the nature of the scam suggests that it involves people in the cryptocurrency industry.
“[G]iven the lure describes an executive position for a cryptocurrency company, it might be reasonable to deduce that the recipients may be in the managerial positions within cryptocurrency companies. But again, we don’t have enough information to make any conclusive determination,” Chung said.
Other researchers in addition to Chung have been looking at these same malware samples.
“There is no evidence as to who the specific targets of the campaign are at this current moment, however due to the contents of the document and the recent hacking of cryptocurrency exchanges such as Bithumb, it can be speculated that this campaign was targeted at employees of different cryptocurrency exchanges or even cryptocurrency experts,” said Jay Rosenberg, a researcher at Israeli cybersecurity company Intezer. Bithumb is a South Korean cryptocurrency exchange that was the target of a data breach earlier this year. That attack is now being attributed to North Korea, the BBC reports.
Seongsu Park, a researcher for Russian cybersecurity company Kaspersky Lab, tweeted that the malware Lazarus Group was using in this attack has not only targeted people with interest in cryptocurrency, but also banks and software companies.
Hash : ee295025782b6bd37bcaf1a639b5006e (JD.doc). Cryptocurrency company is not the only target. Bank, S/W company, and so on.. https://t.co/lvTrwpg8eF
— Seongsu Park (@unpacker) December 16, 2017
Kaspersky was not able to provide further insight into this cryptocurrency spearfishing campaign, but Chung, of Secureworks, confirmed that the malware being used is linked to other attacks “targeting financial industries, defense contractors, gaming companies and tech vendors.”
“In addition to bitcoin companies, we have seen these threat actors use the ‘fake job theme’ phishing ploy against financial institutions, defense contractors, gaming companies, and technology vendors,” said Chung. “Thus, the ‘bitcoin job lure’ was just one of many brands of phishing lures the North Koreans were employing.”
Lazarus Group appears to be impersonating at least one cryptocurrency company in its latest spearphishing campaign.
“These malicious false job advertisement documents with embedded macro has been used in the past by Lazarus,” Rosenberg said. “Other documents that have been seen include a false job advertisement for a project manager at IBM in the Philippines and another finance or banking position in Asia.”
In a screenshot of the infected document published by Intezer, the fake job posting appears to be for Luno, a British digital currency trading company. A Secureworks spokesperson declined to also name the impersonated company, but said that “the cryptocurrency organization was simply used to enhance credibility to the spearphishing email.” The fake job description appears to have been stripped from a similar job description posted on LinkedIn in the Far East, according to Secureworks.
Luno did not immediately respond to a request for comment.“Despite using an actual company name in the lure, CTU researchers have no evidence to conclude that any identified company in the lure is the subject of a targeted operation,” SecureWorks found.
Chung and Rosenberg both said they do not know how successful the spearfishing campaign has been or how many people downloaded the document.