North Korean hackers tracked as the Lazarus Group have been observed using #LinkedIn in a spear-phishing campaign targeting the cryptocurrency vertical in the United States, the United Kingdom, Germany, Singapore, the Netherlands, Japan, and other countries.
This is not the first time the Lazarus hackers (also tracked as HIDDEN COBRA by the United States Intelligence Community and Zinc by Microsoft) have targeted cryptocurrency organizations.
United Nations (UN) Security Council experts say that the North Koreans were behind cryptocurrency heists that led to losses of $571 million between 2017 and 2018, with the U.S.
Treasury later sanctioning three DPRK-sponsored and financially motivated hacking groups (Lazarus, Andarial, and Bluenoroff). North Korea’s total number of hackers is estimated at over 6,000, with lots of them operating from other countries including Russia, China, and India.
F-Secure was able to attribute the LinkedIn attack based on the malicious implants left behind on infected systems and collected by the researchers after the Lazarus operation (identical to tools previously used by the group) and on Tactics, Techniques &Procedures (TTPs) used in North Korean hackers’ earlier operations.
The hackers used a maliciously crafted Word document disguised as a General Data Protection Regulation (GDPR) protected file requiring the target to enable content to get access to the rest of the information.
However, after enabling content, the document executed malicious embedded macro code that connected to a bit.ly link and deployed the final malware payloads after first collecting and exfiltrating system info to attackers’ command-and-control servers.
Lazarus Group was also observed by F-Secure while disabling Credential Guard on infected devices to capture credentials from memory using the open-source Mimikatz post-exploitation tool.