Kaspersky Lab, a cybersecurity and anti-virus company, first reported on the cybercrime group Lazarus in August of 2018 with the release of Operation Applejuice. The document outlined the group’s ability to use fake companies that promoted backdoored products to target cryptocurrency businesses.
On March 26th, the team released a new report that explained how the presumably North Korean-backed Lazarus was still targeting cryptocurrency businesses and that they had created new tactics to further avoid detection.
Frightening Tactics Evolve With South Korean Businesses a Target
Since November of last year, Lazarus has begun utilizing PowerShell to control Windows systems and macOS malware for Apple users. The custom PowerShell scripts are used to communicate directly with C2 servers that then execute demands from the operator.
Once the malware has initiated a control session with the server, the functions of the malware allow it to collect basic host information while downloading and uploading files. It also enables it to show current malware configuration and execute system shell commands just to name a few.
The real danger is that these C2 server script names come disguised as seemingly normal files, such as WordPress or other open source projects. The report expressed specific concern for companies based in South Korea, given that several of the documents found containing the malware were directed at them. The report stated:
“The malware was distributed via documents carefully prepared to attract the attention of cryptocurrency professionals. Seeing as how some of the documents were prepared in Korean, we believe that South Korean businesses are a high priority for Lazarus.”
The report shows several of such convincing documents that were used to infiltrate cryptocurrency businesses. One among them was a business overview from a Chinese technology consulting group named LAFIZ.
In addition, the report noted that another tactic of the group was to utilize both purchased and hijacked servers, and that their geography was widespread, with servers existing from China to the European Union and elsewhere.
One question remains, why use two different servers? Kaspersky Labs asserts that, “the group seems to have a rule … to only host malware on rented servers, while hosting C2 scripts for malware communication on compromised servers.”
It seems as though Lazarus is retaining some consistent features as their malware evolves, suggesting that they are using the same developers to expand to other platforms.
Hacking From North Korea Has Cost the Industry Millions
At the end of 2017, news began to surface regarding North Korean hacker’s attack on cryptocurrency exchanges that amassed over 670 billion USD. The hackers were also credited with leaking the information from 36,000 accounts from the cryptocurrency exchange Bithumb.
A few weeks ago, a UN report was leaked that showed how North Korea had used “cyber attacks and blockchain technology to circumvent economic sanctions and obtain foreign currency”.
A report from security research firm Group-IB explained that Lazarus was purportedly responsible for $571 million of the $882 million in cryptocurrency that had been stolen from various exchanges between 2017 and 2018. This accounted for almost 65% of the total amount. The biggest attack to-date was on Japan-based exchange Coincheck, who lost an alarming 532 million USD back in January of 2019.
The UN report reminded member states to:
“enhance their ability to facilitate robust information exchange on the cyberattacks by the Democratic People’s Republic of Korea with other governments and with their own financial institutions”.