Finder makes money from featured partners, but editorial opinions are our own.

Lazarus returns to steal your bitcoins



The malware uses phishing emails to launch a cryptocurrency con.

A well-known piece of banking malware, Lazarus, has returned. No longer content with hacking its way into your bank account, the malware now scans for bitcoin activity and then infects your computer with a program designed for long-term data-gathering according to researchers from security firm McAfee.

The attacks begin with phishing emails: messages that look legitimate but are used to deliver a malicious payload. The messages look like recruitment messages but contain file attachments that, if opened, monitor what's going on within your computer, looking for cryptocurrency activity.

McAfee Advanced Threat Research team discovered the new campaign, dubbed HaoBao, which directs receivers to open a recruitment document for a Business Development Executive located in Hong Kong for a large multi-national bank. The document was distributed via a Dropbox account.

The document contains a macro so it relies on users allowing the document to execute the computer code that launches the attack. The infected document adds a new file to the infected computer which, in turn, creates the tool that monitors a system for cryptocurrency activity. The process is quite sophisticated as it even opens a decoy Word document so you think it's behaving correctly.

Once it collects the data wanted by the bad guys, it communicates with a remote "command and control" sever which collects the data and issues instructions to the malicious program.

It's not surprising that criminals are turning to this kind of attack. It's far easier and cheaper to steal cryptocurrencies than to mine them. And phishing attacks have proven to be a reliable way of spreading malware, so it makes sense for the bad guys to go with a method that has worked in the past.

Avoiding this kind of attack is not difficult. The old security maxim of not opening attachments from unknown sources applies. And not allowing macros to run is also a good idea. Up-to-date end-point security software is a must and network managers should be monitoring for any outbound communications from their network that are unexpected.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Get started with crypto

Ask an Expert

You are about to post a question on

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and 6. Finder Group Privacy & Cookies Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Go to site