Lazarus Group Targets Bitcoin Users and Financial Organizations

McAfee researchers discovered a new phishing campaign, dubbed HaoBao, targeting Bitcoin users and banks across the globe. North Korean threat actors known as the “Lazarus Group” are believed to be responsible for this campaign as well as various financially-motivated cyber-attacks that have occurred over the last few years, including the May 2017 WannaCry ransomware attack that impacted hundreds of thousands of computers around the world. Recently, the group has capitalized on the increasing interest and surging prices of cryptocurrencies. The HaoBao campaign utilizes spear-phishing emails that mimic correspondence from employee recruiters. If recipients open the attached Word document and select “enable content,” a cryptocurrency scanner will be downloaded on to their system. The scanner will then attempt to locate a Bitcoin wallet and, if successful, a secondary payload will be delivered to establish persistence and continue to gather data over an extended period of time. The NJCCIC recommends reviewing McAfee’s article for additional information on Lazarus Group’s HaoBao campaign. We also recommend cryptocurrency owners remain vigilant and maintain awareness of threats targeting cryptocurrency wallets and exchanges and avoid using links provided in emails or through social media platforms to visit cryptocurrency wallet and exchange sites.