Te November 2018, Secureworks Tegenstoot Threat Unit&trade, (CTU) researchers discovered the North Korean cyber threat group, known spil Lazarus Group and internally tracked spil NICKEL ACADEMY by Secureworks, had launched a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company. CTU researchers assess this spil the continuation of activity very first observed ter 2016, and it is likely that the campaign is ongoing. This latest round of phishing emerges to have bot delivered around 25 October 2018.
Additionally, the CTU researchers have uncovered evidence of North Korea&rsquo,s rente te bitcoin since at least since 2013, when numerous usernames originating from a North Korean IP address were taking part te bitcoin research. At that time, the North Koreans were using proxies to mask their originating IP address, but at times, those proxies failed, and exposed North Korean actors&rsquo, true originating IP, which wasgoed the same North Korean IP used te previous cyber operations.
Given the current rise ter bitcoin prices, CTU suspects that the North Korea&rsquo,s rente ter cryptocurrency remains high and is likely continuing its activities surrounding the cryptocurrency. A number of latest intrusion activities against several bitcoin exchanges ter South Korea have bot tentatively attributed to North Korea. CTU researchers assess that the North Korean threat against cryptocurrency will remain elevated te the foreseeable future.
The Elements of the NICKEL ACADEMY (Lazarus) Spearphishing Campaign
Upon opening the word attachment ter the phishing email, the victim is introduced with a pop-up message encouraging the user to accept the &lsquo,Enable Editing&rsquo, and &lsquo,Enable Content&rsquo, functions. (Figure 1) The email contains a Microsoft Word document with an embedded malicious macro that, when enabled, creates a separate decoy document (the CFO Job Lure), that is shown to the recipient (Figure Two). It then installs a first-stage Remote Access Trojan (RAT) te the background that the malicious document is configured to produce. Once the RAT is installed on the victim&rsquo,s rekentuig, the threat actors can download extra malware at any time.
Figure 1: The pop-up message, which instantaneously shows up on a targets&rsquo, pc screen once the spearphishing email is clicked on.
Figure Two: The CFO job lure introduced to victims upon enabling content (macros) within the word document.
The job description for a CFO at a European-based Bitcoin company used ter the lure document is similar to the LinkedIn profile of a Chief Financial Officer of an actual cryptocurrency company te the Far East. Despite using an actual company name te the lure, CTU researchers have no evidence to conclude that any identified company ter the lure is the subject of a targeted operation.
It is likely that the threat actors conducted reconnaissance and simply copied and pasted from open source to craft their lure. CTU researchers have observed NICKEL ACADEMY (Lazarus) copying and pasting job descriptions from online recruitment sites te previous campaigns. Ter previous rounds of phishing, the job postings te the lure documents contained the same typos spil the source that they had bot taken from. Ter this campaign, minor edits emerge to have bot made to the text to improve readability.
Campaign Indicators Pointing to NICKEL ACADEMY (Lazarus) Group
There are several indicators, which have led CTU researchers to believe with high confidence that NICKEL ACADEMY is behind the current spearphishing campaign. The researchers found that there are common elements ter the macro and te the first- stage RAT used te this campaign, with former campaigns of the NICKEL ACADEMY (Lazarus) threat group. CTU researchers also identified components te the custom-made C2 protocol being used (the way te which the malware talks to the Guideline and Control Servers) which they have seen utilized by Nickel Academy (Lazarus) previously. Thesis give solid technical linkages to previous Nickel Academy (Lazarus) malware and operations.