The North Korean hacking group has turned greedy.
Security researchers have uncovered a completely new widespread malware campaign targeting cryptocurrency users, believed to be originated coming from Lazarus Group, a state-sponsored hacking group linked to the North Korean government.
Active since 2009, Lazarus Group has been attributed to many high profile attacks, including Sony Pictures Hack, $81 million heists coming from the Bangladesh Bank, in addition to also the latest — WannaCry.
The United States has officially blamed North Korea for global WannaCry ransomware attack of which infected hundreds of thousands of computers across more than 150 countries earlier This particular year.
In separate news, security experts have blamed Lazarus group for stealing bitcoins worth millions coming from the South Korean exchange Youbit, forcing the idea to shut down in addition to also file for bankruptcy after losing 17% of its assets.
Researchers coming from security firm Proofpoint have published a completely new report, revealing a connection between Lazarus Group in addition to also several multistage cyber attacks against cryptocurrency users in addition to also point-of-sale systems.
“The group has increasingly focused on financially motivated attacks in addition to also appears to be capitalizing on both the increasing interest in addition to also skyrocketing prices for cryptocurrencies,” the researchers said. “The Lazarus Group’s arsenal of tools, implants, in addition to also exploits is usually extensive in addition to also under constant development.”
After analyzing a large number of spear phishing emails with different attack vectors coming from multiple spear phishing campaigns, researchers discovered a completely new PowerShell-based reconnaissance implant coming from Lazarus Group arsenal, dubbed PowerRatankba.
Encryption, obfuscation, functionality, decoys, in addition to also command-in addition to also-control servers used by PowerRatankba closely resembles the original Ratankba implant developed by Lazarus Group.
The PowerRatankba implant is usually being spread using a massive email campaign through the following attack vectors:
- Windows executable downloader dubbed PowerSpritz
- Malicious Windows Shortcut (LNK) files
- Several malicious Microsoft Compiled HTML Help (CHM) files
- Macro-based Microsoft Office documents
- Backdoored well-liked cryptocurrency applications hosted on fake websites
PowerRatankba, with at least two variants inside wild, acts as a first-stage malware of which delivers a fully-featured backdoor (in This particular case, Gh0st RAT) only to those targeted companies, organizations, in addition to also individuals of which have interest in cryptocurrency.
“During our research, we discovered of which long-term sandboxing detonations of PowerRatankba not running cryptocurrency related applications were never infected having a Stage2 implant. This particular may indicate of which the PowerRatankba operator(s) were only interested in infecting device owners with an obvious interest in various cryptocurrencies,” reads the 38-page-long report [PDF] published by Proofpoint.
Once installed, Gh0st RAT allows cybercriminals to steal credentials for cryptocurrency wallets in addition to also exchanges.
the idea’s notable of which PowerRatankba in addition to also Gh0st RAT don’t exploit any zero-day vulnerability; instead, Lazarus Group relies on mixed programming practices, like C&C communication over HTTP, use of Spritz encryption algorithm in addition to also the Base64-encoded custom encryptor.
“the idea is usually already well-known of which Lazarus Group has targeted in addition to also successfully breached several prominent cryptocurrency companies in addition to also exchanges,” the researchers say. “coming from these breaches, law enforcement agencies suspect of which the group has amassed nearly $100 million worth of cryptocurrencies based on their value today.”
Besides stealing cryptocurrencies, the group was also found infecting SoftCamp point-of-sale (POS) terminals, largely deployed in South Korea, using RatankbaPOS malware for stealing credit card data.
Since RatankbaPOS was sharing same C&C server as the PowerRatankba implant, the idea is usually believed of which both the implants are linked to Lazarus Group.
The explosive growth in cryptocurrency values has motivated not only traders yet also hackers to invest all their time in addition to also resources in producing digital wealth.
More details about the completely new malware campaigns run by Lazarus Group can be found inside in-depth report [PDF], titled “North Korea Bitten by Bitcoin Bug—Financially motivated campaigns reveal a completely new dimension of the Lazarus Group,” published by PowerPoint on Wednesday.