Threat intelligence report: Lazarus group campaign targeting the cryptocurrency vertical

10 mins read

In 2019, F-Secure uncovered an ongoing global phishing campaign by cyber crime group Lazarus Group. This took place during the investigation of an attack on an organization in the cryptocurrency vertical. The data reveals technical details on the group's modus operandi and shows activity continuing into 2020.

According to a 2019 UN report, Lazarus Group has been targeting organizations in the cryptocurrency vertical since at least 2017. The group’s interests are reportedly aligned with those of the government of the Democratic People’s Republic of Korea (DPRK). 

While aspects of the Lazarus Group campaign are touched on publicly—notably initial access —this investigation yielded fresh insight on post-exploitation activity. The implants used were previously observed in other campaigns, but the investigation exposed newer variants and wider tactics techniques and procedures (TTPs) not yet reported in the public domain.

Get your copy of the report

F-Secure assesses the attack on the target to be advanced in nature and was able to link this activity with a global phishing campaign running since at least January 2018. The attack was linked to this wider set of activity through several common indicators found in samples from the investigation, open source repositories, and proprietary intelligence sources. Where possible, evidence has been included in the body and appendices of the report to allow the security industry to leverage these details across their apertures, and draw their own conclusions. F-Secure believes this information will help targeted organizations protect their networks from future attacks and raise the cost of operation for the group.

Consistent with public reporting on the group’s activities, the main objective of the attack uncovered by F-Secure was financial gain. We expect the group will continue to target organizations within the cryptocurrency vertical but may also target their supply chain for financial gain.

Key findings: 

Lazarus Group’s activities are a continued threat: the phishing campaign associated with this attack has been observed continuing into 2020, raising the need for awareness and ongoing vigilance amongst organizations operating in the targeted verticals. 

Lazarus Group has demonstrated sophistication and operational security awareness in executing a prolonged and ostensibly successful cybercrime campaign. F-Secure also note that this campaign shares TTPs with other recently reported Lazarus Group campaigns. Therefore, organizations that have DPRK in their threat profile should review their detection capability against the techniques noted in this report and those in the MITRE ATT&CK framework attributed to the group.

Despite having a leading endpoint detection and response (EDR) and network security tool installed, the attack against the target organization in this investigation was successful. This report demonstrates the tactics and techniques used by Lazarus Group to avoid detection while infiltrating the target. The report also provides significant detection opportunities for blue teams seeking to improve their organization's detection capabilities against this group.

It is F-Secure's view that people play a crucial role in building an effective detection capability. This incident serves as an example of the need to invest in people as well as technology to keep your organization safe from even the most advanced attacks.

In the report:

  • Details of the initial access phase, the techniques the group used, and how they leveraged social engineering through a third-party service
  • The post exploitation techniques and tactics the group used and how they evaded detection 
  • Analysis of deleted samples captured by the targeted organization’s EDR solution that were used to bypass complex controls and avoid detection. 
  • Re-use of TTPs by the group in campaigns against other verticals
  • Actionable detection data that blue teams could leverage for proactive means
Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs