On March 26, cybersecurity watchdogs from Kaspersky Lab issued a warning that the well-known hacking group known as Lazarus, which is allegedly sponsored by the North Korean government, is alive and well and still targeting the cryptocurrency industry.
According to the folks at Kaspersky Lab, the hacking group began a new operation in November 2018, using new methods to infiltrate the computer systems of businesses in the financial sector and gain access to sensitive data. Research done by Kaspersky Lab shows the hackers customized PowerShell scripts that "communicate with malicious C2 servers and execute commands from the operator."
The scripts, dubbed "macro-weaponized document[s]," look like WordPress files and other open-source projects. Once the malware has control over a company's servers, it can "set sleep time (delay between C2 interactions), exit malware, collect basic host information, check malware status, show current malware configuration, update malware configuration, execute system shell command, [and] download [and] upload files."
These weaponized documents are specifically designed to catch the attention of cryptocurrency professionals. Kaspersky Lab believes that the hacking group is explicitly targeting Korean crypto exchanges based on the fact that the malware is delivered using a malicious "Korean Hangul Word Processor format" (HWP), which takes advantage of a known weakness in the PostScript software and is popular only among Korean users. That one of the weaponized documents was sent to a crypto exchange based in Korea is also telling.
The Lazarus group uses several methods to infect exchanges' servers. According to Kaspersky Lab, research shows that the group is most likely "running an old vulnerable instance of Internet Information Services (IIS) 6.0 on Microsoft Windows Server 2003." The group is also suspected of purchasing servers from a hosting company that it uses to "host macOS and Windows payloads." The cybersecurity watchdog believes the group only puts malware on rented servers and uses servers that are already infected to run C2 scripts. These servers have been found from China to the European Union.
The research done by Kaspersky Lab further shows that the group has adopted better methods to avoid detection. Lazarus is separately developing malware for "32-bit and 64-bit Windows" so it has more choices concerning the platform its wishes to infiltrate and the type of compiled code it wishes to use. Kaspersky Lab concludes that the same developers are using these methods to infect Apple products, which is why the group built the macOS malware.
The report ends with a warning to the larger crypto and tech industry:
"If you're part of the booming cryptocurrency or technological startup industry, exercise extra caution when dealing with new third parties or installing software on your systems. It's best to check new software with an antivirus…[a]nd never 'Enable Content' (macro scripting) in Microsoft Office documents received from new or untrusted sources."
The Lazarus group is suspected of perpetrating some of the biggest hacks ever seen in the cryptocurrency industry. The group allegedly committed the hack against Coincheck, in which approximately 500 million NEM tokens were stolen in January 2018. The group also allegedly infiltrated the Bithumb network and made off with $31.5 million worth of digital currency.