Recently, NSFOCUS Security Labs captured a series of phishing documents containing specific Korean bait information. Most of these documents contain keywords such as “BTC”, “ETH”, “NFT”, and “account information”, which trick victims into opening them and then use remote template injection to implant malicious programs, thereby stealing host information. Analysis shows that these phishing documents are linked to the APT group Lazarus and are part of a long-term phishing campaign targeting cryptocurrency users. Further findings in continuous tracking also include that Lazarus reused the attack process in subsequent phishing activities, expanding the attack scope to targets such as the South Korean government and organizations.
In this attack, Lazarus built a type of decoy document containing an “AhnLab ” icon and prompt information. The prompts for these documents vary, but the common goal is to trick victims into enabling Office’s document editing capabilities. AhnLab is a cyber security vendor with its headquarters in South Korea. Lazarus uses the name to increase the persuasiveness of the decoy document.
Another type of decoy document contains Binance icons and related tips. Binance is a cryptocurrency trading platform.
These phishing documents have different file names, clearly showing that the Lazarus group’s campaign lasted from the end of March to the beginning of April, and the main targets of the attack were cryptocurrency followers.
|확인자료 _20220329.docx||Confirm data_20220329|
|202203_BTC_ETH_추가계정정보||202203_BTC_ETH_Other account information|
|202203_BTC_ETH_자동매매계정정보||202203_BTC_ETH_Auto Trading Account Information|
|NFT 분할.docx||NFT allocation|
|Binance_Guide (1).doc||Binance_Tutorial (1)|
This series of malicious documents all contain remote links to obtain subsequent attack payloads by visiting the domain name naveicoipc [.]tech and multiple subdomains under this domain name.
Statistics found that the format of these links used by Lazarus this time is similar, including the fixed domain name naveicoipc [.]tech, subdomain composed of random characters, the root directory ACMS/, secondary directory composed of random characters, the file name including “Accounts” or “Template” character, and the ID parameter composed of random characters. An example link is: http://naveicoipc[.]tech/ACMS/0Mogk1Cs/topAccounts?uid=3490blxl
As the event progressed, Lazarus began to adjust the decoy form, expanding the target of this attack to the South Korean government and organizations.
In the decoys delivered in the post-stage, Lazarus started using the following filenames:
|유사수신행위고소장.docx||Complaints of similar reception behaviors|
|주주총회결과.docx||Shareholders’ meeting results|
|긴급재난지원금신청서양식.docx||Emergency Disaster Benefit Application Form|
These file names still contain keywords commonly used by the Lazarus group, which are consistent with the group’s historical attack targets.
These adjusted malicious documents use the domain name naveicoipg [.]online and its subdomains as remote link addresses for downloading subsequent attack payloads.
In this Lazarus-linked attack, attackers mass-produced and launched a large number of phishing lures to crucial targets in industries that Lazarus has been paying attention to for a long time. The attack this time seems to be in an exploratory stage because only a part of the domain names in the phishing emails was used in the attack.
NSFOCUS provides the most unique, fresh, and accurate Threat Intelligence in the world. Most available threat feeds have poor visibility into Northern Asia where over 40% of all malicious Internet traffic comes from. NSFOCUS’s Threat Intelligence (NTI) is truly disparate. The NTI helps close this enormous cyber-threat hole with threat intelligence covering APAC and especially North Asia in depth, and gain complete visibility into the global threat landscape. Most of the NTI feeds are analyzed and produced by NSFOCUS’s research team which is more traceable and accurate when compared to open-sourced feeds. Click here for more information on NSFOCUS Threat Intelligence.