According to cybersecurity company AlienVault, the author of the infected HWP documents used in recent attacks on exchanges is the North Korean government-funded group Lazarus.
Among others, South Korea's largest cryptocurrency exchange, Bithumb, was hit by malicious code injection attacks on HWP documents, where hackers stole more than $30 million in cryptocurrency.
The Lazarus, or BlueNoroff, group, which stole $81 million from the Central Bank of Bangladesh in 2016, is believed to pose the most serious threat to banks and now, perhaps, to cryptocurrency companies. The Lazarus group used the ActiveX vulnerability in attacks on South Korean companies. Now, hackers are also using a series of viruses embedded in HWP documents to attack participants at the recent G20 financial meeting.
AlienVault has analyzed three similar documents infected with malicious code One of them mentions a meeting of the G20 International Finance Working Group aimed at coordinating economic policies among developed countries.
HWP files are embedded with malicious code that installs virus code on the attacked system (for example 32-bit version of Manuscrypt, which has already been described in detail by other security researchers). Infected fake resumes are also used. It is believed that the infected HWP files were used by the Lazarus group earlier in May and June to rob the Bithumb exchange.
Cryptocurrency companies were sent fake resumes that were strikingly similar to the documents used to install the Manuscrypt program.
“We can’t be sure yet, but we suspect that this malware is related to the theft of funds from the Bithumb exchange,” notes AlienVault.
Similar HWP-infected documents have been sent to users of crypto platforms in South Korea in the past.
In addition, the researchers noticed that domains associated with cryptocurrency phishing were registered to the same phone number as a domain (itaddnet [.] Com) associated with some malware. This means that attackers are also stealing credentials, along with sending out malware.
“It is strange that Lazarus has a registered domain, usually the group prefers to compromise other people's legitimate websites. So this would be an unusual attack if it was indeed carried out by members of the Lazarus gang,” says AlienVault.
The Lazarus group could very well have hacked the Bithumb exchange earlier this month, given that it already attacked the exchange last year, which likely gave it the information it needed to do it again. Throughout the year, the group also attacked other cryptocurrency exchanges.
“The Lazarus group’s hacker attacks are unlikely to stop soon, given the volume of funds stolen. The profit received from the attack on the Central Bank of Bangladesh - almost 1 billion US dollars - is 3% of North Korea's GDP. Stealing funds from South Korean organizations helps North Korea weaken its closest competitor, neighbor and ideological rival,” AlienVault said.
According to securityweek.com
You May Also Like
The law firm will sue the creator of the pyramid
The American law firm Silver Miller, which specializes in cryptocurrency investments, filed a lawsuit against investor Jeremy Spence, who, according to its representatives, operated a cryptocurrency pyramid and misled investors.
New day, new scam
Cryptocurrency scammers are now pretending to be John McAfee in order to steal Bitcoin and Ethereum from unsuspecting users. And here's an unexpected twist - scammers are offering a brand new Tesla Model 3 as bait for the victim.
