Lazarus Targets South Korea with Malicious Docs

Similarities among malicious documents used in attacks on South Korea suggest there could be a link between attacks on cryptocurrency and banks in South Korea. AlienVault has discovered cyber-attacks on South Korea by the North Korea-linked Lazarus Group. The attack methods are similar in nature to recent attacks on banks and Bitcoin exchanges. By leveraging the Manuscrypt malware, Lazarus reportedly “communicates by impersonating South Korean forum software.”

The three samples analyzed by the AlienVault labs team appeared to be Hangul Word Processor (HPW) files, which is a South Korean document editor. The samples contained “malicious postscript code to download either a 32- or 64-bit version of the next stage.” According to Hybrid Analysis, the malicious document that mentions the G20 International Financial Architecture Working Group Meeting had – among other indicators – the ability to query CPU information and to register a top-level exception handler. Another document identified as malicious was a decoy resume.

Interestingly, the documents used in the recent hack of the South Korean cryptocurrency exchange also contained malicious HWP files and involved fake resumes. Bithumb is a major South Korean Bitcoin exchange that was hacked, with $30M in coins stolen.