Lazarus returns to steal your bitcoins

Anthony Caruana 13 February 2018

Coinstack_Shutterstock738

The malware uses phishing emails to launch a cryptocurrency con.

A well-known piece of banking malware, Lazarus, has returned. No longer content with hacking its way into your bank account, the malware now scans for bitcoin activity and then infects your computer with a program designed for long-term data-gathering according to researchers from security firm McAfee.

The attacks begin with phishing emails: messages that look legitimate but are used to deliver a malicious payload. The messages look like recruitment messages but contain file attachments that, if opened, monitor what's going on within your computer, looking for cryptocurrency activity.

McAfee Advanced Threat Research team discovered the new campaign, dubbed HaoBao, which directs receivers to open a recruitment document for a Business Development Executive located in Hong Kong for a large multi-national bank. The document was distributed via a Dropbox account.

The document contains a macro so it relies on users allowing the document to execute the computer code that launches the attack. The infected document adds a new file to the infected computer which, in turn, creates the tool that monitors a system for cryptocurrency activity. The process is quite sophisticated as it even opens a decoy Word document so you think it's behaving correctly.

Once it collects the data wanted by the bad guys, it communicates with a remote "command and control" sever which collects the data and issues instructions to the malicious program.

It's not surprising that criminals are turning to this kind of attack. It's far easier and cheaper to steal cryptocurrencies than to mine them. And phishing attacks have proven to be a reliable way of spreading malware, so it makes sense for the bad guys to go with a method that has worked in the past.

Avoiding this kind of attack is not difficult. The old security maxim of not opening attachments from unknown sources applies. And not allowing macros to run is also a good idea. Up-to-date end-point security software is a must and network managers should be monitoring for any outbound communications from their network that are unexpected.

This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Latest crypto guides

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, read the PDS or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms and Conditions and Privacy Policy.
Ask a question
Go to site