Lazarus: North Korean hackers resurface with aggressive HaoBao campaign against banks, Bitcoin users

The notorious North Korea-linked hacker group Lazarus has risen again with a new "aggressive" campaign targeting global banks and Bitcoin users, security researchers have discovered. According to McAfee Labs, the advanced cybercrime group has launched a new ambitious Bitcoin-stealing phishing campaign dubbed HaoBao using implants that have never before been seen in the wild or in previous Lazarus campaigns.

First spotted in mid-January, McAfee researchers discovered a malicious document being distributed via a Dropbox account that was disguised as a job recruitment ad for a Business Development Executive for a large multinational bank in Hong Kong.

"This is the mark of a new campaign, though it utilizes techniques, tactics and procedures observed in 2017," McAfee's Ryan Sherstobitoff wrote in a blog post published Monday (12 January).

The author is listed as "Windows User" with the document created in Korean. Several similar malicious documents with the same author have popped up between 16 January and 24 January this year, researchers noted.

The malicious document prompts the user to "enable content" to view the purported ad by claiming it was created with an earlier version of Microsoft Word. Unsuspecting users that do so enable the attackers to launch the implant onto the victim's system via a Visual Basic macro.

"McAfee ATR analysis finds the dropped implants have never been seen before in the wild and have not been used in previous Lazarus campaigns from 2017," researchers noted. "Furthermore, this campaign deploys a one-time data gathering implant that relies upon downloading a second stage to gain persistence. The implants contain a hardcoded word "haobao" that is used as a switch when executing from the Visual Basic macro."

The document drops two payloads onto the system that are decrypted in memory including a cryptocurrency scanner that looks out for any Bitcoin activity such as a registry key and wallet on the system before deploying the second payload.

Once it detects the compromised machine does have a Bitcoin wallet, the secondary payload is deployed to gain persistence on the device for long-term data gathering. The malware harvests data include the computer name, logged-in username, a list of all processes currently running on the system and looks for a specific bitcoin registry key. If found on the machine, the information is relayed to the command and control (C&C) infrastructure to likely begin stealing cryptocurrency.

"The techniques, tactics and procedures are very similar to the campaigns that targeted US Defense contractors, US Energy sector, financial organizations and crypto currency exchanges in 2017," McAfee said. "Furthermore, one of the implants communicates to an IP address that was involved in hosting malicious job description documents in 2017 involving the Sikorsky military program."

Widely believed to be linked to the North Korean regime, Lazarus Group has been linked to the 2014 Sony Pictures Entertainment hack, the global WannaCry ransomware attack in 2017, multiple massive attacks targeting the banking and media sector in South Korea in 2013, the $80m Bangladesh Bank cyberheist and the cyberattacks targeting South Korea cryptocurrency exchanges towards the end of 2017.

"Despite a short pause in similar operations, the Lazarus group targets cryptocurrency and financial organizations," researchers said. "Furthermore, we have observed an increased usage of limited data gathering modules to quickly identify targets for further attacks. This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans."