![](https://d15shllkswkct0.cloudfront.net/wp-content/blogs.dir/1/files/2018/02/hacking.jpg)
![](https://d15shllkswkct0.cloudfront.net/wp-content/blogs.dir/1/files/2018/02/hacking.jpg)
The Lazarus Group, the hacking group linked to North Korea believed to have been involved in the spread of the WannaCry ransomware attack last year, is back with a new campaign targeting financial institutions and bitcoin users.
The new campaign, dubbed HaoBao Monday by security researchers at McAfee, sees a return to form for the group with a targeted phishing campaign that pretends to be from a Hong Kong-based recruitment firm.
Attached to the emails is a Dropbox link that contains a malicious file. When clicked upon, it installs malware that can scan a victim’s computer for cryptocurrency wallets and then establish a secondary implant for long-term data gathering.
Although the form of attack may seem nothing new, the researchers noted that the two-stage attack malware is something new.
“McAfee ATR analysis finds the dropped implants have never been seen before in the wild and have not been used in previous Lazarus campaigns from 2017,” McAfee analyst Ryan Sherstobitoff said. “Furthermore, this campaign deploys a onetime data gathering implant that relies upon downloading a second stage to gain persistence. The implants contain a hardcoded word ‘haobao’ that is used as a switch when executing from the Visual Basic macro.”
For potential victims, the news is bad. Sherstobitoff told ZDNet that “low detection rates paired with low prevalence in the wild will make a targeted implant much more difficult to detect.” He added that he believed that the attacks against cryptocurrencies, in particular, would grow thanks to a lack of solid regulations and that sanctions against North Korea are harder to enforce with cryptocurrency than with hard currency.
The Lazarus Group has a long history of hacking high-profile targets. Along with being linked to the WannaCry ransomware last year, the group is also believed to have been involved with the hack of Sony Corp. in 2014 as well as attempts to hack South Korean cryptocurrency exchanges last year.
THANK YOU