Researchers at Secureworks Counter Threat Unit (CTU) have been tracking the North Korean Lazarus Group. The Lazarus Group is credited with a number of high profile hacking and cyber-espionage attacks. The CTU say the latest campaign Lazarus Group campaign is: “a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company.”
The CTU claims that this is a continuation of a campaign started in 2016. It believes the latest set of spearphishing emails started to be sent around October 25. North Korea has been accused of several successful attacks against cryptocurrency wallets. Those attacks are believed to have yielded over $100 million in various cryptocurrencies. With global sanctions against the country over its nuclear missile programme, this gives it potential access to foreign currency.
Lazarus Group using proven attack vectors
There appears to be nothing especially sophisticated in this spearphishing campaign from the Lazarus Group. The attack consists of:
- An email with a Microsoft Word document as an attachment.
- A message asking the user to accept the ‘Enable Editing’ and ‘Enable Content’ functions.
- A malicious macro which displays a secondary document that the CTU calls the CFO Job Lure.
- The macro also installs a Remote Access Trojan (RAT). This allows the attackers to download malware onto the victims computer.
This is no different in terms of the steps than many other spearphishing attacks. What is surprising is that the document is not being flagged as suspicious by security software on email servers. It will also worry security teams that people are willing to open a document and enable macros.
Lazarus Group using LinkedIn for inspiration
The CTU investigation has identified similarities between the job description and a LinkedIn profile. It says: “The job description for a CFO at a European-based Bitcoin company used in the lure document is similar to the LinkedIn profile of a Chief Financial Officer of an actual cryptocurrency company in the Far East. Despite using an actual company name in the lure, CTU researchers have no evidence to conclude that any identified company in the lure is the subject of a targeted operation.”
This use of social media as the basis for an attack is not new. However, it does raise more questions about the amount of information that people put on social networks. While some see it as a way to attract recruiters, hackers see it as valuable source materials. Business sites such as LinkedIn also make it easy to find victims. All the attacker needs to do is look for people who are already a CTO. They can then use either fake LinkedIn accounts set up to look like recruiters or just go to most corporate websites to get an email address.
The CTU also points out that the Lazarus Group has used job descriptions from online sites in the past. By taking legitimate job ads the hacking group makes it hard for victims to spot that this is an attack rather than a targeted recruitment effort.
What does this mean?
There are several things that are evident from this attack. North Korea continues to be a serious threat in cyber security terms. Its investment in state sponsored hacking continues to pay off as recent crypto wallet thefts show.
However, this is not all due to highly skilled hacking. A number of its attacks, such as this spearphishing campaign should not succeed. The tools to detect the infected Word documents are widely available. Available, of course, does not mean used and any successful attack should be a serious concern to IT security teams.
This attack also shows the need for continual training of staff. When staff are part of a continuous training programme, they tend to spot many phishing attacks. If the training stops then staff quickly forget their training and fall victim. This is something that Aaron Higbee, CTO, PhishMe talked about in his podcast with Enterprise Times.