New Lazarus Group Financial Tactics

bitIntezer has released a paper on their findings concerning the Lazarus Group's new targets and tactics. Targeting financial institutions with phishing emails and malware is a common practice for this threat-actor group. In a recent campaign called Blockbuster, forty-five unique families of malware were identified in the attacks. This attack campaign is similar in nature, but utilizes upgraded malware. Phishing emails are sent out with malware payload documents that contain a VBA (Visual Basic for Applications) macro embedded. Targets include cryptocurrency exchanges, FinTech, financial companies, and others dealing with cryptocurrencies. The document, “Investment Proposal.doc”, purports to be from an Australian based law firm called Holley Nethercote. The content of the document explains that the company has evaluated a number of different cryptocurrencies and have put forth an investment proposal for interested parties. A number of typos and other inconsistencies appear throughout the document. Once the document is opened by the unsuspecting victim, the VBA macro begins its work. Its job is to drop and execute an embedded RAT (Remote Access Tool) onto the victim's system. Intezer determined that approximately eighty-five percent of the code in the RAT had not been used in prior campaigns they had observed, implying that the RAT was evolving. After setting up persistence for itself so that it can survive a reboot, the RAT creates a backdoor and awaits commands from its command and control servers. The RAT is able to perform approximately twenty-two different functions, including hard drive space, volume information, computer name, user name, file retrieval, and file deletion, as well as others. Communication uses wolfSSL to encrypt traffic using two different certificates and one private key.