The infamous North Korea-linked hacker group Lazarus has been found targeting South Korea with a new batch of specially-crafted, malware-laced documents. AlientVault researchers said the group has been deploying malicious Hangul word processor (HWP) files - a popular South Korean document editor - that contain malicious postscript code to download either 32-bit or 64-bit malicious payloads.
In this case, the malicious code downloads the Manuscrypt backdoor that Lazarus has previously used to target diplomatic targets along with virtual currency and electronic payment site users in South Korea. It has also been previously deployed against financial targets as well.
Among the three malicious documents analyzed by AlienVault, one file translated to “Results of the international financial system working group meeting.” It appeared to be targeting members of a recent G20 Financial meeting “seeking coordination of the economic policies between the wealthiest countries,” researchers said.
Another document was related to the recent cryptocurrency heist that saw hackers steal $30 million from South Korean cryptocurrency exchange Bithumb.
“Reports within South Korea have suggested the the thefts from Bithumb started with malicious HWP files earlier in May and June. They also mentioned they are linked to previous attacks by Lazarus, and involved faked resumes,” researchers noted. They added that South Korean security firm Hauri also uncovered similar-looking malware samples that were sent to cryptocurrency companies.
“Whilst we can’t be certain this malware is responsible for the thefts from Bithumb, it seems a likely suspect,” AlienVault said.
This isn’t the first time cybercriminals, specifically Lazarus, have used malicious HWP documents to target South Korean users in both phishing and malware attacks.
“If the attackers behind the Bithumb heist are indeed Lazarus - they were likely aided by knowledge from a previous hack. They were linked to a theft of $7 million from Bithumb, and other cryptocurrency exchanges, back in 2017,” researchers said. “These attacks are part of a a large number of attacks against banks, including the attempted theft of $1 billion dollars from the Bank of Bangladesh, attacks against ATM networks.”
The group has also been previously tied to the WannaCry ransomware attacks and the 2014 Sony Pictures hack.
“It’s clear that the thefts from Lazarus won’t stop anytime soon given the gains available - the (partially successful) attempt to steal $1 billion dollars from the Bank of Bangladesh represents 3% of North Korea’s reported GDP. Thefts from South Korean organisations have the double impact of weakening their closest competitor.”