Researchers at ClearSky issued a similar report about fake LinkedIn job advertisements tied to North Korean hackers. These attacks would then allow the hackers to gain greater access to corporate networks. Over the past month, other security researchers also have noted that the Lazarus Group, which is also referred to as Hidden Cobra, has used the promise of fake jobs as part of phishing campaigns.Įarlier this month, McAfee issued a report that found Lazarus was using fake job offers to target employees in the U.S. "On all but a single host, which was powered off halfway through the intrusion and therefore unreachable, Lazarus Group was able to securely delete traces of any of the malware they employed as well as significant quantities of forensic evidence," according to the report.
#LAZARUS GROUP WINDOWS#
To help avoid detection, the Lazarus Group hackers use PowerShell commands to disable security tools, such as Windows Defender, and then delete the malware once the operation is concluded.
This malware variant has been used by other hackers to steal cryptocurrency wallets (see: Hacker Group Stole $200 Million From Cryptocurrency Exchanges). The hackers also used a customized version of Mimikatz to steal credentials.
#LAZARUS GROUP DOWNLOAD#
These include two distinct backdoors that have previously been reported on by security firms Kaspersky and ESET.Īnother malware variant used in conjunction with the backdoors gives the hackers the "capability to download additional files, decompress data in memory, initiate command-and-control communication, execute arbitrary commands and steal credentials from a number of sources," according to the report. The researchers found that Lazarus can deploy a number of malicious tools within an infected device. Once the macros were enabled, they started a chain reaction that eventually installed a VBScript within the compromised device that made connections to three command-and-control servers overseen by the hackers, according to the F-Secure report.
#LAZARUS GROUP FULL#
The LinkedIn message contained a Word document that was portrayed as having more information about the prospective job offering, but noted that it was “protected under the European Union's General Data Protection Regulation law.” The victim was asked to enable macros to view the full document, according to the report. This message sent through LinkedIn also matched other phishing emails previously used by Lazarus, some of which had been uploaded to VirusTotal, according to the report. The skill set needed for the job matched those of the targeted system administrator, the researchers say. The employee received a message through a personal LinkedIn account that advertised a fake job at a blockchain firm. In the latest Lazarus Group attack, the hackers targeted a specific systems administrator who worked for the exchange, according to the report. "It is F-Secure's assessment that the group will continue to target organizations within the cryptocurrency vertical while it remains such a profitable pursuit, but may also expand to target supply chain elements of the vertical to increase returns and longevity of the campaign," the report notes.
The recent attack against the unnamed cryptocurrency exchange is part of an ongoing campaign that started in 2018 and includes similar incidents in the U.S., China, U.K., Canada, Germany, Russia, South Korea, Argentina, Singapore, Hong Kong, Netherlands, Estonia, Japan and the Philippines, according to the report. Korea Targets Cryptocurrency Exchanges, Banks).
Lazarus allegedly is providing money to the North Korean government, which is facing numerous economic sanctions (see: UN Report: N. The Lazarus Group has been involved in several other thefts from banks and exchanges, including the theft of $81 million from Bangladesh Bank in 2016.Ī 2019 United Nation's report estimated the group had stolen about $571 million in cryptocurrency between 20 by targeting five exchanges in Asia. The attackers apparently stole a "substantial" amount of cryptocurrency from the targeted exchange as a result of the spear-phishing attack, the researchers say. See Also: Live Webinar | Enforcing Least Privilege Access in AWS Cloud Infrastructure with CIEM The Lazarus Group, which has ties to the North Korean government, recently targeted an employee of a cryptocurrency exchange with a fake job offer in order to plant malware and steal virtual currency, according to security firm F-Secure. Lazarus Group used a fake message about a job that claims it's protected under GDPR and contains malicious macros.
0 kommentar(er)
