Skip to main content

Lazarus Targets South Korea with Malicious Docs

posted onJune 25, 2018
by l33tdawg

Similarities among malicious documents used in attacks on South Korea suggest there could be a link between attacks on cryptocurrency and banks in South Korea. AlienVault has discovered cyber-attacks on South Korea by the North Korea-linked Lazarus Group. The attack methods are similar in nature to recent attacks on banks and Bitcoin exchanges. By leveraging the Manuscrypt malware, Lazarus reportedly “communicates by impersonating South Korean forum software.”

The three samples analyzed by the AlienVault labs team appeared to be Hangul Word Processor (HPW) files, which is a South Korean document editor. The samples contained “malicious postscript code to download either a 32- or 64-bit version of the next stage.” According to Hybrid Analysis, the malicious document that mentions the G20 International Financial Architecture Working Group Meeting had – among other indicators – the ability to query CPU information and to register a top-level exception handler. Another document identified as malicious was a decoy resume.

Interestingly, the documents used in the recent hack of the South Korean cryptocurrency exchange also contained malicious HWP files and involved fake resumes. Bithumb is a major South Korean Bitcoin exchange that was hacked, with $30M in coins stolen.

Source

Tags

Industry News

You May Also Like

Recent News

Friday, November 29th

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th