The Lazarus group is said to have started the trap to grab some cryptocurrency. The attack was launched recently against one crypto organisation. The Lazarus is advanced persistent threat groups which are said to be operated by North Korea. The attacks from the group have been advanced in the last three years. It is said to be formed in 2007 and was also behind the attack of WannaCry. They also performed the $80 million Bangladeshi bank heist and the 2018 HaoBao Bitcoin-stealing campaign.
The latest hack attack by the group was through a LinkedIn job advertisement. A system administrator recently received a phishing document in their personal LinkedIn account. It was related to a blockchain technology company seeking a new employee. The email was identified related to Lazarus because it resembled the samples already available on VirusTotal. The samples included the same names, author and word count elements.
The documents included macros which can carry forward the objective of the group. The document was also protected under the EU’s General Data Protection Regulation (GDPR). The document’s macro is said to create a .LNK file. It will further execute a file called mshta.exe and call out a bit.ly link connected to a VBScript. This script will undertake a system checks and sends operational information to a command-and-control (C2) server. The C2 provides a PowerShell script able to retrieve Lazarus malware payloads.
The group is also said to use a tailored version of Mimikatz. This version is used to retrieve credentials from encrypted systems. Financial values are also retrieved from this version. The main target is to occupy the cryptocurrency wallet and online bank accounts of the victim. The group is also accused of wiping the evidence of the attack and deleting the security events and logs. However, the officials are still hopeful that they will find some evidence against the attack.