The document (7e70793c1ca82006775a0cac2bd75cc9ada37d7c) created Janudrops and executes an implant compiled Januwith the name lsm.exe (535f212b320df049ae8b8ebe0a4f93e3bd25ed79). The malicious documents then launch an implant on the victim’s system via a Visual Basic macro. Victims are persuaded to enable content through a notification claiming the document was created in an earlier version of Microsoft Word. Several additional malicious documents with the same author appeared between January 16 though January 24, 2018. This document had the last author ‘Windows User’ and was created Januwith Korean language resources. Hxxps://This is the mark of a new campaign, though it utilizes techniques, tactics and procedures observed in 2017. The document was distributed via a Dropbox account at the following URL: On January 15 th, McAfee ATR discovered a malicious document masquerading as a job recruitment for a Business Development Executive located in Hong Kong for a large multi-national bank. The 2017 campaign targets ranged from defense contractors to financial institutions, including crypto currency exchanges, however much of this fake job recruitment activity ceased months later, with the last activity observed October 22, 2017. The objective was to gain access to the target’s environment and obtain key military program insight or steal money. The campaign lasted from April to October and used job descriptions relevant to target organizations, in both English and Korean language. Backgroundīeginning in 2017, the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents. HaoBao targets and never-before-seen implants signal to McAfee ATR an ambitious campaign by Lazarus to establish cryptocurrency cybercrime at a sophisticated level. When victims open malicious documents attached to the emails, the malware scans for Bitcoin activity and then establishes an implant for long-term data-gathering. This new campaign, dubbed HaoBao, resumes Lazarus’ previous phishing emails, posed as employee recruitment, but now targets Bitcoin users and global financial organizations. McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact. This blog was written with support and contributions provided by Asheer Maholtra, Jessica Saavedra Morales, and Thomas Roccia.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |