Security researchers accept uncovered a novel widespread malware drive targeting cryptocurrency users, believed to survive originated from Lazarus Group, a state-sponsored hacking grouping linked to the North Korean government.
Active since 2009, Lazarus Group has been attributed to many high profile attacks, including Sony Pictures Hack, $81 1 grand m heists from the Bangladesh Bank, too the latest — WannaCry.
The United States has officially blamed Democratic People's Republic of Korea for global WannaCry ransomware assault that infected hundreds of thousands of computers across to a greater extent than than 150 countries before this year.
In dissever news, safety experts accept blamed Lazarus grouping for stealing bitcoins worth millions from the South Korean telephone commutation Youbit, forcing it to closed downward too file for bankruptcy afterward losing 17% of its assets.
Researchers from safety draw solid Proofpoint accept published a novel report, revealing a connectedness betwixt Lazarus Group too a issue of multistage cyber attacks against cryptocurrency users too point-of-sale systems.
"The grouping has increasingly focused on financially motivated attacks too appears to survive capitalizing on both the increasing involvement too skyrocketing prices for cryptocurrencies," the researchers said. "The Lazarus Group’s arsenal of tools, implants, too exploits is extensive too nether constant development."After analyzing a large issue of pike phishing emails amongst dissimilar assault vectors from multiple pike phishing campaigns, researchers discovered a novel PowerShell-based reconnaissance implant from Lazarus Group arsenal, dubbed PowerRatankba.
Encryption, obfuscation, functionality, decoys, too command-and-control servers used past times PowerRatankba closely resembles the master Ratankba implant developed past times Lazarus Group.
The PowerRatankba implant is existence spread using a massive e-mail drive through the next assault vectors:
- Windows executable downloader dubbed PowerSpritz
- Malicious Windows Shortcut (LNK) files
- Several malicious Microsoft Compiled HTML Help (CHM) files
- Multiple JavaScript (JS) downloaders
- Macro-based Microsoft Office documents
- Backdoored pop cryptocurrency applications hosted on mistaken websites
PowerRatankba, amongst at to the lowest degree 2 variants inwards the wild, acts every bit a first-stage malware that delivers a fully-featured backdoor (in this case, Gh0st RAT) solely to those targeted companies, organizations, too individuals that accept involvement inwards cryptocurrency.
"During our research, nosotros discovered that long-term sandboxing detonations of PowerRatankba non running cryptocurrency related applications were never infected amongst a Stage2 implant. This may dot that the PowerRatankba operator(s) were solely interested inwards infecting device owners amongst an obvious involvement inwards diverse cryptocurrencies," reads the 38-page-long written report [PDF] published past times Proofpoint.Once installed, Gh0st RAT allows cybercriminals to bag credentials for cryptocurrency wallets too exchanges.
It's notable that PowerRatankba too Gh0st RAT don't exploit whatever zero-day vulnerability; instead, Lazarus Group relies on mixed programming practices, similar C&C communication over HTTP, usage of Spritz encryption algorithm too the Base64-encoded custom encryptor.
"It is already well-known that Lazarus Group has targeted too successfully breached several prominent cryptocurrency companies too exchanges," the researchers say. "From these breaches, constabulary enforcement agencies suspect that the grouping has amassed nearly $100 1 grand m worth of cryptocurrencies based on their value today."Besides stealing cryptocurrencies, the grouping was also constitute infecting SoftCamp point-of-sale (POS) terminals, largely deployed inwards South Korea, using RatankbaPOS malware for stealing credit menu data.
Since RatankbaPOS was sharing same C&C server every bit the PowerRatankba implant, it is believed that both the implants are linked to Lazarus Group.
The explosive increment inwards cryptocurrency values has motivated non solely traders exactly also hackers to invest all their fourth dimension too resources inwards making digital wealth.
More details nigh the novel malware campaigns run past times Lazarus Group tin flaming survive constitute inwards the in-depth written report [PDF], titled "North Korea Bitten past times Bitcoin Bug—Financially motivated campaigns discover a novel dimension of the Lazarus Group," published past times PowerPoint on Wednesday.
