Lazarus Resurfaces, Targets Global Banks and Bitcoin Users
Contents
This blog was written with support and contributions provided by Asheer Maholtra, Jessica Saavedra Morales, and Thomas Roccia.
McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact.
This new campaign, dubbed HaoBao, resumes Lazarus’ previous phishing emails, posed as employee recruitment, but now targets Bitcoin users and global financial organizations. When victims open malicious documents attached to the emails, the malware scans for Bitcoin activity and then establishes an implant for long-term data-gathering.
HaoBao targets and never-before-seen implants signal to McAfee ATR an ambitious campaign by Lazarus to establish cryptocurrency cybercrime at a sophisticated level.
Background
Beginning in 2017, the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents. The campaign lasted from April to October and used job descriptions relevant to target organizations, in both English and Korean language. The …
McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact.
This new campaign, dubbed HaoBao, resumes Lazarus’ previous phishing emails, posed as employee recruitment, but now targets Bitcoin users and global financial organizations. When victims open malicious documents attached to the emails, the malware scans for Bitcoin activity and then establishes an implant for long-term data-gathering.
HaoBao targets and never-before-seen implants signal to McAfee ATR an ambitious campaign by Lazarus to establish cryptocurrency cybercrime at a sophisticated level.
Background
Beginning in 2017, the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents. The campaign lasted from April to October and used job descriptions relevant to target organizations, in both English and Korean language. The …
IoC
1dd8eba55b16b90f7e8055edca6f4957efb3e1cd
210.122.7.129
221.164.168.185
535f212b320df049ae8b8ebe0a4f93e3bd25ed79
70.42.52.80
7e70793c1ca82006775a0cac2bd75cc9ada37d7c
BDAEDB14723C6C8A4688CC8FC1CFE668
D4C93B85FFE88DDD552860B148831026
a79488b114f57bd3d8a7fa29e7647e2281ce21f6
afb2595ce1ecf0fdb9631752e32f0e32be3d51bb
dc06b737ce6ada23b4d179d81dc7d910a7dbfdde
e8faa68daf62fbe2e10b3bac775cce5a3bb2999e
http://deltaemis.com/CRCForm/3E_Company/Sikorsky/E4174/JobDescription.doc
https://dl.dropboxusercontent.com/content_link/AKqkZsJRuxz5VkEgcguqNE7Th3iscMsSYvivwzAYuTZQWDBLsbUb7yBdbW2lHos/file?dl=1
https://dl.dropboxusercontent.com/content_link/AKqqkZsJRuxz5VkEgcguqNE7Th3iscMsSYvivwzAYuTZQWDBLsbUb7yBdbW2lHos/file?dl=1
https://www.dropbox.com/s/q7w33sbdil0i1w5/job
https://www.dropbox.com/s/qje0yrz03au66d0/JobDescription.doc?dl=1
210.122.7.129
221.164.168.185
535f212b320df049ae8b8ebe0a4f93e3bd25ed79
70.42.52.80
7e70793c1ca82006775a0cac2bd75cc9ada37d7c
BDAEDB14723C6C8A4688CC8FC1CFE668
D4C93B85FFE88DDD552860B148831026
a79488b114f57bd3d8a7fa29e7647e2281ce21f6
afb2595ce1ecf0fdb9631752e32f0e32be3d51bb
dc06b737ce6ada23b4d179d81dc7d910a7dbfdde
e8faa68daf62fbe2e10b3bac775cce5a3bb2999e
http://deltaemis.com/CRCForm/3E_Company/Sikorsky/E4174/JobDescription.doc
https://dl.dropboxusercontent.com/content_link/AKqkZsJRuxz5VkEgcguqNE7Th3iscMsSYvivwzAYuTZQWDBLsbUb7yBdbW2lHos/file?dl=1
https://dl.dropboxusercontent.com/content_link/AKqqkZsJRuxz5VkEgcguqNE7Th3iscMsSYvivwzAYuTZQWDBLsbUb7yBdbW2lHos/file?dl=1
https://www.dropbox.com/s/q7w33sbdil0i1w5/job
https://www.dropbox.com/s/qje0yrz03au66d0/JobDescription.doc?dl=1