North Korea-linked Lazarus malware campaign resurfaces, warns McAfee

Lazarus Group has returned to shakedown Bitcoin miners and users, according to McAfee

Cyber security researchers have unearthed a new sophisticated malware campaign that steals Bitcoins from victims.

According to analysts at security firm McAfee, hackers working for international cybercrime group Lazarus, which is believed to be a North Korean government front, are mounting new malware campaigns on targets across the world.

Dubbed HaoBao, the campaign takes advantage of the group's experience in email phishing. In the past, the crooks have posed as recruitment professionals.

Now they are targeting Bitcoin users and global financial institutions by bombarding their targets with malware-bearing emails.

When victims open these attachments, the malware kicks in and begins scanning for Bitcoin-related activity. It then drops a back door enabling the attackers to mine data at a later date from the compromised machine.

McAfee said the hacking group is using "never-before-seen" tactics to launch attacks on victims. The firm believes that Lazarus is trying to "establish cryptocurrency cybercrime at a sophisticated level".

Between April and October 2017, the group posed as recruitment professionals to launch a spate of phishing emails. It used English and Korean in this campaign.

"The objective was to gain access to the target's environment and obtain key military program insight or steal money," claimed the security firm.

They continued: "The 2017 campaign targets ranged from defense contractors to financial institutions, including crypto currency exchanges, however; much of this fake job recruitment activity ceased months later, with the last activity observed October 22, 2017."

However, in January, the group continued their malicious activity. On the 15 January, McAfee came across a malicious document that advertised a suppoed business development role at a multi-national bank in Hong Kong.

Although it used the same tactics as the 2017 campaign, this document was different in that it had "Windows User" as the last author. Similar emails were sent between 16 January and 24 January, too.

"Victims are persuaded to enable content through a notification claiming the document was created in an earlier version of Microsoft Word," explained McAfee. "The malicious documents then launch an implant on the victim's system via a Visual Basic macro".

Lazarus has also been using new implants to gather data. The company said: "The implants contain a hardcoded word "haobao" that is used as a switch when executing from the Visual Basic macro.

It added: "In this latest discovery by McAfee ATR, despite a short pause in similar operations, the Lazarus Group targets crypto currency and financial organisations."

"Furthermore, we have observed an increased usage of limited data gathering modules to quickly identify targets for further attacks. This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans."