According to cybersecurity company AlienVault, the author of the infected HWP documents used in recent attacks on exchanges is the North Korean government-funded group Lazarus.
Among others, South Korea's largest cryptocurrency exchange, Bithumb, was hit by malicious code injection attacks on HWP documents, where hackers stole more than $30 million in cryptocurrency.
The Lazarus, or BlueNoroff, group, which stole $81 million from the Central Bank of Bangladesh in 2016, is believed to pose the most serious threat to banks and now, perhaps, to cryptocurrency companies. The Lazarus group used the ActiveX vulnerability in attacks on South Korean companies. Now, hackers are also using a series of viruses embedded in HWP documents to attack participants at the recent G20 financial meeting.
AlienVault has analyzed three similar documents infected with malicious code One of them mentions a meeting of the G20 International Finance Working Group aimed at coordinating economic policies among developed countries.
HWP files are embedded with malicious code that installs virus code on the attacked system (for example 32-bit version of Manuscrypt, which has already been described in detail by other security researchers). Infected fake resumes are also used. It is believed that the infected HWP files were used by the Lazarus group earlier in May and June to rob the Bithumb exchange.
Cryptocurrency companies were sent fake resumes that were strikingly similar to the documents used to install the Manuscrypt program.
“We can’t be sure yet, but we suspect that this malware is related to the theft of funds from the Bithumb exchange,” notes AlienVault.
Similar HWP-infected documents have been sent to users of crypto platforms in South Korea in the past.
In addition, the researchers noticed that domains associated with cryptocurrency phishing were registered to the same phone number as a domain (itaddnet [.] Com) associated with some malware. This means that attackers are also stealing credentials, along with sending out malware.
“It is strange that Lazarus has a registered domain, usually the group prefers to compromise other people's legitimate websites. So this would be an unusual attack if it was indeed carried out by members of the Lazarus gang,” says AlienVault.
The Lazarus group could very well have hacked the Bithumb exchange earlier this month, given that it already attacked the exchange last year, which likely gave it the information it needed to do it again. Throughout the year, the group also attacked other cryptocurrency exchanges.
“The Lazarus group’s hacker attacks are unlikely to stop soon, given the volume of funds stolen. The profit received from the attack on the Central Bank of Bangladesh - almost 1 billion US dollars - is 3% of North Korea's GDP. Stealing funds from South Korean organizations helps North Korea weaken its closest competitor, neighbor and ideological rival,” AlienVault said.
According to securityweek.com
You May Also Like
A new round of gray mining - browser mining
With the advent of javascript miners, hackers have significantly expanded their opportunities for parasitic cryptocurrency mining.
Blockchain Vulnerabilities: DDoS Attack
Blockchain technology was developed more as a test of scientific theories, at least in the context of bitcoin. Naturally, network security was an important component, but this does not mean that the ideology itself does not contain potential vulnerability to certain attacks
