McAfee analysts released research on Monday indicating that Lazarus, a cybercrime group known for its association with North Korea as well for its involvement in the 2017 WannaCry ransomware attack and the 2014 Sony hack, is now using never-before-seen tactics to attempt to steal Bitcoin in a campaign called HaoBao. In his summary of the findings, senior McAfee analyst Ryan Sherstobitoff characterizes the recent spate of hacks as “an ambitious campaign by Lazarus to establish cryptocurrency cybercrime at a sophisticated level.”
Last month, McAfee discovered a fake Word document that purported to have a job description for a bank executive position in Hong Kong. The Lazarus group, assuming the identity of a recruiter, had sent a Dropbox link to the document in a spear phishing email. The document contains a malicious implant that recipients are tricked into enabling through a false notification, which states that the file was created in a previous version of Microsoft Word. The implant then scans the computers for cryptocurrency wallets, a type of software that people use to store their bitcoins, in order to identify them for further attacks.
Bitcoin theft isn’t new, but it has proliferated during the cryptocurrency boom of the last year. The crime often involves a hacker gaining access to an owner’s private key, a string of code that unlocks a wallet. Upon breaching the program, hackers can then transfer those funds to their own wallet. Large-scale thefts have been known to cripple large crypto organizations in the past: Mt. Gox, once the largest crypto exchange, had to declare bankruptcy in 2014 after hackers absconded with $460 million worth of bitcoin.
In the case of HaoBao, McAfee analysts found several of the malicious Word documents listing the same author from Jan. 16 to Jan. 24, which had been sent to companies using phishing emails. Though Lazarus has been known to spoof Microsoft Word in the past, the HaoBao campaign is notable for its smaller and more sophisticated implant, which has the ability to launch the attack directly into a computer’s memory and thus leaves a limited footprint. Lazarus is also automating the attack to target a large number of potential victims and focusing on bitcoin users, all of which increases their chances of stealing wallet contents. Sherstobitoff told Slate, “It’s becoming more organized than when [Lazarus] first started targeting cryptocurrencies. They’re now finding ways so that they can send it out to 300 organizations and hit two percent of them successfully.”