Breaking

Saturday, December 16, 2017

North Korea's digital army has a new target: Bitcoin! A look inside their latest, and still active operation...


They're known within the darknet underground as "The Lazarus Group" but intelligence sources say they're North Korea's digital army. You may have heard the name before in the infamous 2014 hack of Sony Pictures.

But their latest operation has a new target - cryptocurrency, and was discovered by cyber security company Secureworks.

The focus of the attack is executives at financial firms that hold and manage cryptocurrencies, and it works like this - an executive receives an e-mail, which states there's an opportunity to move up in the ranks, and become the company's Chief Financial Officer.

There is an attachment in the form of a Microsoft word file.  When opened, they recieve a notification "editing must be enabled to view the docunent" and when the user clicks "ok" it launches an embedded script that does 2 things.

First, it creates then opens harmless document - an actual job description to keep the user distracted and unsuspicious.

Second, secretly launches the instillation of a Trojan virus.

The harmless looking job description doc (Image: Secureworks)
The virus is designed to give full remote access to the hackers.  The computer is now completely under their control - they can log what's being typed, see what's on the screen, and even install more malware if they wish.

While remote access Trojans are nothing new and can even be bought and sold on underground darknet forums, what stands out about this one is it doesn't seem to be a variation of previously known Trojans - this one appears to have been freshly coded from scratch.

Evaluating the code, Secureworks Counter Threat Unit recognized something from previous North Korean operations - it's heavy reliance on the C2 protocol, which The Lazarus Group has used in the past to communicate to their main command and control servers.

The first discoveries of this new attack started in October, and are continuing today.

Those who feel they could be the target of such attacks are recommended to make sure macros are disabled in Microsoft Word, and require two-factor authentication on systems with sensitive data.

-------
Author: Ross Davis
San Francisco News Desk