Security researchers accept uncovered a novel widespread malware sweat targeting cryptocurrency users, believed to last originated from Lazarus Group, a state-sponsored hacking grouping linked to the North Korean government.
Active since 2009, Lazarus Group has been attributed to many high profile attacks, including Sony Pictures Hack, $81 1000000 heists from the Bangladesh Bank, in addition to the latest — WannaCry.
The U.S.A. has officially blamed Democratic People's Republic of Korea for global WannaCry ransomware assault that infected hundreds of thousands of computers across to a greater extent than than 150 countries before this year.
In split news, safety experts accept blamed Lazarus grouping for stealing bitcoins worth millions from the South Korean telephone substitution Youbit, forcing it to closed downward in addition to file for bankruptcy afterward losing 17% of its assets.
Researchers from safety theatre Proofpoint accept published a novel report, revealing a connection betwixt Lazarus Group in addition to a issue of multistage cyber attacks against cryptocurrency users in addition to point-of-sale systems.
"The grouping has increasingly focused on financially motivated attacks in addition to appears to last capitalizing on both the increasing involvement in addition to skyrocketing prices for cryptocurrencies," the researchers said. "The Lazarus Group’s arsenal of tools, implants, in addition to exploits is extensive in addition to nether constant development."After analyzing a large issue of pike phishing emails amongst dissimilar assault vectors from multiple pike phishing campaigns, researchers discovered a novel PowerShell-based reconnaissance implant from Lazarus Group arsenal, dubbed PowerRatankba.
Encryption, obfuscation, functionality, decoys, in addition to command-and-control servers used yesteryear PowerRatankba closely resembles the master copy Ratankba implant developed yesteryear Lazarus Group.
The PowerRatankba implant is existence spread using a massive e-mail sweat through the next assault vectors:
- Windows executable downloader dubbed PowerSpritz
- Malicious Windows Shortcut (LNK) files
- Several malicious Microsoft Compiled HTML Help (CHM) files
- Multiple JavaScript (JS) downloaders
- Macro-based Microsoft Office documents
- Backdoored pop cryptocurrency applications hosted on mistaken websites
PowerRatankba, amongst at to the lowest degree 2 variants inwards the wild, acts every bit a first-stage malware that delivers a fully-featured backdoor (in this case, Gh0st RAT) exclusively to those targeted companies, organizations, in addition to individuals that accept involvement inwards cryptocurrency.
"During our research, nosotros discovered that long-term sandboxing detonations of PowerRatankba non running cryptocurrency related applications were never infected amongst a Stage2 implant. This may dot that the PowerRatankba operator(s) were exclusively interested inwards infecting device owners amongst an obvious involvement inwards diverse cryptocurrencies," reads the 38-page-long study [PDF] published yesteryear Proofpoint.Once installed, Gh0st RAT allows cybercriminals to pocket credentials for cryptocurrency wallets in addition to exchanges.
It's notable that PowerRatankba in addition to Gh0st RAT don't exploit whatever zero-day vulnerability; instead, Lazarus Group relies on mixed programming practices, similar C&C communication over HTTP, utilisation of Spritz encryption algorithm in addition to the Base64-encoded custom encryptor.
"It is already well-known that Lazarus Group has targeted in addition to successfully breached several prominent cryptocurrency companies in addition to exchanges," the researchers say. "From these breaches, police describe enforcement agencies suspect that the grouping has amassed nearly $100 1000000 worth of cryptocurrencies based on their value today."Besides stealing cryptocurrencies, the grouping was also constitute infecting SoftCamp point-of-sale (POS) terminals, largely deployed inwards South Korea, using RatankbaPOS malware for stealing credit bill of fare data.
Since RatankbaPOS was sharing same C&C server every bit the PowerRatankba implant, it is believed that both the implants are linked to Lazarus Group.
The explosive increment inwards cryptocurrency values has motivated non exclusively traders exactly also hackers to invest all their fourth dimension in addition to resources inwards making digital wealth.
More details nigh the novel malware campaigns run yesteryear Lazarus Group tin last constitute inwards the in-depth study [PDF], titled "North Korea Bitten yesteryear Bitcoin Bug—Financially motivated campaigns break a novel dimension of the Lazarus Group," published yesteryear PowerPoint on Wednesday.
Share This :
comment 0 Comments
more_vert