Lazarus Group is being connected to a previous spear-phishing attack that approached admins through LinkedIn messages to a cryptocurrency company. The effort seems financially driven, with attackers collecting passwords required to enter cryptocurrency wallets or online bank accounts.
“Lazarus Group’s activities are a continued threat: the phishing campaign associated with this attack has been observed continuing into 2020, raising the need for awareness and ongoing vigilance amongst organizations operating in the targeted verticals,” said researchers.
The attackers threatened network administrators with a phishing document at an undisclosed cryptocurrency service. The paper for a position in a blockchain development business was disguised as a genuine work advertising. Once the subject had clicked on the fake text, the text appeared to be covered by limitations on the General Data Protection Regulation.
Don’t Miss: Major Twitter Accounts Hacked in Bitcoin Scam
Researchers have found that a “bit.ly” link from at least 19 countries, including the US, China, and the UK, has been approached 73 times. The link will then redirect toward a domain executing a VBScript to perform host checks. This leads to downloading and executing a script that will retrieve an additional payload from a third C2.
The data destruction installs several big implants into the victim’s body. Even the implants were found to be used on other target hosts to link to the backdoor network. Findings showed that the vast number of commands executed through the command-line tool provides “important discovery opportunities” to blue teams. The payload is being able to access additional files, decrypt memory data, trigger C2 correspondence, and steal passwords.
The Lazarus Team has been doing this since 2009, a.k.a. Secret Cobra or APT 38. eThe APT has also been related to the potentially destructive WannaCry assault that triggered the economic loss of millions of dollars. Lazarus is continually developing and has introduced spyware and card-skimming tools.
Previously it released an innovative multi-purpose malware architecture (MATA) that targets operating systems for Windows, Linux, and macOS. This new effort indicates that the community is now trying to threaten organizations in the market segments of finance and cryptocurrencies, researchers alert.