Lazarus returns to steal your bitcoins
The malware uses phishing emails to launch a cryptocurrency con.
A well-known piece of banking malware, Lazarus, has returned. No longer content with hacking its way into your bank account, the malware now scans for bitcoin activity and then infects your computer with a program designed for long-term data-gathering according to researchers from security firm McAfee.
The attacks begin with phishing emails: messages that look legitimate but are used to deliver a malicious payload. The messages look like recruitment messages but contain file attachments that, if opened, monitor what's going on within your computer, looking for cryptocurrency activity.
McAfee Advanced Threat Research team discovered the new campaign, dubbed HaoBao, which directs receivers to open a recruitment document for a Business Development Executive located in Hong Kong for a large multi-national bank. The document was distributed via a Dropbox account.
The document contains a macro so it relies on users allowing the document to execute the computer code that launches the attack. The infected document adds a new file to the infected computer which, in turn, creates the tool that monitors a system for cryptocurrency activity. The process is quite sophisticated as it even opens a decoy Word document so you think it's behaving correctly.
Once it collects the data wanted by the bad guys, it communicates with a remote "command and control" sever which collects the data and issues instructions to the malicious program.
It's not surprising that criminals are turning to this kind of attack. It's far easier and cheaper to steal cryptocurrencies than to mine them. And phishing attacks have proven to be a reliable way of spreading malware, so it makes sense for the bad guys to go with a method that has worked in the past.
Avoiding this kind of attack is not difficult. The old security maxim of not opening attachments from unknown sources applies. And not allowing macros to run is also a good idea. Up-to-date end-point security software is a must and network managers should be monitoring for any outbound communications from their network that are unexpected.