Threat Watch

Lazarus Group Using LinkedIn Job Lures to Steal Cryptocurrency

Lazarus Group: The North Korean Hacking Bureau 121 division, commonly known as the Lazarus Group or the Bluenoroff Group, has recently targeted a cryptocurrency exchange according to researchers at F-Secure. The name of the targeted exchange was not released. Lazarus used the human element in their most recent attack by sending a malicious document to an administrator’s account on LinkedIn. The document related to a blockchain technology company seeking a new sysadmin with the employee’s skill set. The document is similar to other phishing documents that have been identified from the Lazarus group and publicly accessible on VirusTotal. The document that was sent needed macros to be enabled to carry out the infection chain. The group claimed the document was protected under the EU’s General Data Protection Regulation (GDPR) to trick users into enabling macros. Once macros were enabled, a .LNK file executed the Windows system tool mshta.exe and called out to a bit.ly link and downloaded a VBScript. The script conducts system checks and sends information to the Command and Control (C2) server which in turn provides a PowerShell script to fetch malware payloads. Depending on the system, different malware will be downloaded—two different backdoors were available and are similar to others used by the group. The threat actor is also using a custom Portable Executable (PE) loader. The PE is loaded into the lsass.exe process as a security package by masquerading as a “Security Package” via the “HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages” registry key. That registry key was modified remotely via scheduled tasks that call reg.exe, created by using the schtasks.exe Windows utility. Lazarus is also using a custom version of Mimikatz to harvest credentials from the infected machine. Other malware variants allow the group to connect backdoors to other target hosts, among other things.

ANALYST NOTES

Microsoft documentation recommends setting LSA to run as a “Protected Process Light” (PPL) to protect against malicious security packages by only allowing those signed by Microsoft to run. This setting would have prevented the attack technique that was used in this instance. Enabling Credential Guard and using Attack Surface Reduction (ASR) rules to block credential stealing from the Windows local security authority subsystem are two other important security controls that would have helped thwart the attack. The threat actor is avoiding detection by wiping machine evidence and deleting security events and logs. However, security analysts should set up alerts to detect clearing of logs, and forward all events to a centralized logging server for safekeeping. The Lazarus Group has a history of targeting crypto-exchanges and currencies in the past. The group began these attacks as a way to make money after a large number of sanctions were placed on them. North Korea will likely continue to target other crypto exchanges as it is an easy way for the country to steal money. In this case, the attackers utilized phishing via LinkedIn, which is not a new tactic. The use of job offers being sent over LinkedIn for phishing purposes is growing because LinkedIn messages are not scanned by companies’ threat detection systems as email normally would be. In many cases, employees let their guard down on platforms such as LinkedIn, not realizing phishing campaigns do not have to be carried out through email. Employers should train employees that phishing can be done over various platforms. Employees should be on the lookout for phishing emails whenever messages are sent from individuals that employees do not recognize.

More can be read here: https://www.zdnet.com/article/lazarus-group-strikes-cryptocurrency-firm-through-linkedin-job-adverts/