The North Korean state-sponsored hacking outfit known as Lazarus Group has moved beyond ransomware attacks and...
shifted its focus to cryptocurrency.
Lazarus Group stands accused of perpetrating the widespread WannaCry ransomware attacks earlier this year. Several private companies and governments, including the U.S., have attributed the attacks to the North Korean hacker group. Now, researchers from cybersecurity vendors Proofpoint, Inc., and RiskIQ say Lazarus Group has initiated attacks on cryptocurrency exchanges and owners in at least two different countries.
"Earlier this year, the activities of the Lazarus group in South Korea were discussed and analyzed, as they managed to compromise accounts on various South Korean cryptocurrency exchanges," wrote Yonathan Klijnsma, threat researcher at RiskIQ, in a blog post. "More recently, they were seen targeting a United Kingdom-based cryptocurrency exchange."
Several cryptocurrency exchanges have been hit by cyberattacks in recent weeks including South Korean exchange Youbit, which declared bankruptcy after it lost 17% of its assets in a breach last week. While the Youbit attack hasn't been attributed to the Lazarus Group or other North Korean nation-state hackers, others incidents, including a massive spearphishing campaign targeting a UK-based cryptocurrency business, have been connected to the group.
"The Lazarus Group has increasingly focused on financially motivated attacks and appears to be capitalizing on both the increasing interest and skyrocketing prices for cryptocurrencies," wrote Darien Huss, senior security researcher at Proofpoint, in the company's report.
While Proofpoint and RiskIQ don't name the organizations victimized by the Lazarus Group, researchers from the two vendors outlined the group's new techniques for stealing cryptocurrency from both exchanges and owners. Proofpoint, for example, described several "multistage attacks" that lure victims into downloading malware, including a backdoored version of PyInstaller, a free application that bundles Python programs into a single executable package, and PowerShell malware known as "PowerRatankba" used for reconnaissance. After the initial infections are completed, Huss said, the attackers hit victims with a second wave of malware that harvests credentials for both individual cryptocurrency wallets and exchange accounts.
RiskIQ, meanwhile, identified a large phishing campaign that claimed to be bitcoin wallet software and featured links that impersonated the domain of Bitcoin Gold. According to RiskIQ researchers, Lazarus Group hackers abused internalized domain name registration to trick victims into believing the malicious site was genuine. In addition, Proofpoint's report highlights a new type of point-of-sale (POS) malware, dubbed "RatankbaPOS," that targets the POS framework of KSNET, a major South Korean payment provider.
Huss warned the Lazarus Group has a financially-motivated arm that has branched out beyond typical nation-state activity and is targeting individuals the same way that organized cybercrime outfits have.
"This group now appears to be targeting individuals rather than just organizations: individuals are softer targets," Hess wrote, "often lacking resources and knowledge to defend themselves and providing new avenues of monetization for a state-sponsored threat actor's toolkit."