The North Korean Lazarus Group organised a cyber-attack campaign targeting organisations in the cryptocurrency vertical in the United States, United Kingdom, Netherlands, Germany, Singapore, Japan, and other countries, F-Secure Corporation revealed Tuesday, 25 August, in a report.
F-Secure’s report, entitled “Lazarus Group Campaign Targeting the Cryptocurrency Vertical”, provided an analysis of samples, logs, and other technical artefacts during an incident response investigation at an organisation working in the cryptocurrency vertical.
According to the report, the attack’s malicious implants were nearly identical to tools reportedly used previously by Lazarus Group, which is also known as APT38.
The report stated that the group used LinkedIn to send a fake job offers tailored to the recipient’s profile through the Tactics, Techniques, and Procedures (TTPs) to spearphish via a service.
“Our research, which included insights from our incident response, managed detection and response, and tactical defense units, found that this attack bears a number of similarities with known Lazarus Group activity,” F-Secure Director of Detection and Response Matt Lawrence said, asserting that the group is behind the attack.
“The evidence also suggests this is part of an ongoing campaign targeting organisations in over a dozen countries, which makes the attribution important. Companies can use the report to familiarise themselves with this incident, the TTPs, and Lazarus Group in general, to help protect themselves from future attacks,” Lawrence added.
In 2017, the group reportedly stole $7 million from the Bithumb exchange in South Korea.
The report referred to the use of similar artefacts in campaigns in at least 14 countries: the United States, China, United Kingdom, Canada, Germany, Russia, South Korea, Argentina, Singapore, Hong Kong, Netherlands, Estonia, Japan, and the Philippines.
F-Secure connects attack on organisations working in the cryptocurrency vertical with a global Lazarus Group campaign.
The North Korean group invested significant effort to evade the target organisation’s defenses during the attack, such as by disabling anti-virus software on the compromised hosts and removing evidence of their malicious implants, the report stated.
The report also contained more information for defenders, including indicators of compromise, a list of TTPs used in the attack, and additional advice for detecting Lazarus Group activity. It is now available on F-Secure Labs.