CyberWisdom Safe Harbor Commentary on Lazarus Hacker Group:
Lazarus hacker group
In early 2017, Lazarus, a North Korean hacker group, actively circulated a large number of spear phishing mail and targeted many people. Last year, the campaign targeted military planning insight or stealing money from defense contractors to financial institutions, including cryptocurrencies.
The current scenario is targeted at Bitcoin users and their activities targeting Bitcoin users and collecting sensitive information to steal bitcoin.
The variants found so far indicate that the contact is an IP address/domain that is used to host malicious documents from the previous campaign in Lazarus in 2017 and the same malicious document, as well as Lazarus Resurfaces.
North Korea hacker organization Lazarus hacker group movement distribution
Initially, it distributed spam campaigns, which contained a link to a Dropbox account for malicious documents.
hxxps: [. ] //dl.dropboxusercontent COM / content_link / AKqqkZsJRuxz5VkEgcguqNE7Th3iscMsSYvivwzAYuTZQWDBLsbUb7yBdbW2lHos / file (DL) = 1
hxxps: // www [. dropbox [. ] com / s / q7w33sbdil0i1w5 / job description.doc? dl = 1
Once the victim clicks on the link, the malicious document will be downloaded and the document is created in the older version of Microsoft Word.
Malicious files force the victim to enable macros after implantation into the target system.
In this case, three different documents are distributed from the same Dropbox link. Firestone named lsm.exe contacts 184.108.40.206, which also resolves worker.co.kr.
The second distribution has the name csrss.exe, the contact IP address 220.127.116.11 resolves to deltaemis.com, the third communicates with the Korean IP address 18.104.22.168 and resolves to palgong-cc.co.kr.
Malicious files will be distributed in the encrypted payload of Visual Basic macro code.
According to McAfee, VBA macro code is executed automatically and is configured to be executed when OLE documents (MS Word documents) are opened (via “Sub AutoOpen ()”) to collect system information.
After all the files have been collected, the information is infiltrated from the victim and sent to the command and control server.
Use the same malicious document structure and similar recruitment advertisements that we observed in our past Lazarus activities. The technology, tactics, and procedures are in line with the Lazarus Group’s interest in encrypting currency theft. McCafferty said.
A New Malware campaign dubbed HaoBao distributing by North Korean Hacking Group “Lazarus” that specifically targets cryptocurrency and financial organizations via sophisticated cyber Attack. North Korean hacking group Lazarus actively spreading a huge number of spearphishing Emails and targeting many individuals in Beginning of 2017. Last year this campaign was heavily targeted military program insight or steal Engaging post, Read More…
thumbnail courtesy of gbhackers.com
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »