Lazarus Group is likely behind a spear phishing campaign containing malicious code to download Manuscrypt malware.

Lazarus Group, a team of cybercriminals reportedly based in North Korea, is believed to be targeting its southern neighbor with malicious documents. The files, recently reviewed by South Korean researchers and experts at AlienVault, pack Manuscrypt malware as the final payload.

Researchers in South Korea first detected the documents. One is disguised as related to the G20 International Financial Architecture Working Group Meeting and appears to target attendees, who met to discuss economic policies among the world’s financial superpowers. Another is seemingly related to the $31.5 million theft from the Bithumb cryptocurrency exchange.

All documents were created in Hangul Word Processor (HWP), a South Korean document editor, and contain malicious code to download Manuscrypt malware. Manuscrypt communicates by mimicking South Korean forum software, AlienVault researchers report.

Manuscrypt is referred to as “Bankshot” by McAfee, which uses the term “Hidden Cobra” for the organization known as Lazarus Group. The malware is designed to remain on a target network for continued exploitation and has been seen in attacks on the Turkish financial sector, which was hit with malicious documents written in Korean in March. Threat actors could use the malware to gain full access and wipe content from a target system, McAfee explains.

This isn’t the first time researchers have linked Manuscrypt to Lazarus Group, which allegedly also used the malware in advanced persistent threat (APT) attacks targeting financial institutions and the SWIFT banking network. In the earlier campaign, Manuscrypt operated by searching the internal network for specific hosts related to SWIFT. The threat leveraged the NamedPipe file-sharing feature to search for data on the internal segregated network and send it to the command-and-control (C&C) server.

Link to Bithumb Cryptocurrency Theft

Researchers have suggested a connection between the most recent Lazarus Group activity and the theft of $31.5 million in digital currency from South Korean cryptocurrency exchange Bithumb. Reports within the country indicate the heist also began with HWP files this month and last month, and experts link the incident to earlier attacks by Lazarus Group.

South Korean news organization KBS reports an investigation into the Bithumb theft revealed malware samples that had been sent to other cryptocurrency organizations. AlienVault says “it seems likely” the malware used in this recent campaign is responsible for the Bithumb incident.

Earlier this year, researchers detected Lazarus Group sending malicious HWP documents to cryptocurrency users in South Korea. In these cases, multiple phishing domains were registered to the same phone number as a domain used to deliver the malware. It seems attackers could be phishing for credentials in addition to the malware, though experts say this activity is tricky.

“It is unusual to see Lazarus registering domains,” AlienVault researchers wrote in a blog post on the discovery. “Normally they prefer to compromise legitimate websites. So this would be an unusual attack if it is indeed run by members of Lazarus.”

Putting the Pieces Together

If Lazarus Group is behind the Bithumb attack, it ties these actors to a series of thefts, including $7 million previously stolen from Bithumb in 2017, as well as other cryptocurrency exchanges that were hit in 2017. The group is also believed to be responsible for the attempted theft of $1 billion from the Bank of Bangladesh, attacks on ATM networks, and the WannaCry and Sony Pictures incidents.

Earlier this month, reports indicated Lazarus Group was behind a theft of $10 million from a Chilean bank; it allegedly destroyed thousands of machines to try to conceal its activity. AlienVault notes that specifically targeting South Korean organizations doubly benefits North Korean adversaries because it has the “double impact of weakening their closest competitor.”