Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies

December 15, 2017 - Atlanta, GA

In November 2017, Secureworks Counter Threat Unit™ (CTU) researchers discovered the North Korean cyber threat group, known as Lazarus Group and internally tracked as NICKEL ACADEMY by Secureworks, had launched a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company.  CTU researchers assess this as the continuation of activity first observed in 2016, and it is likely that the campaign is ongoing. This latest round of phishing appears to have been delivered around 25 October 2017.

Additionally, the CTU researchers have uncovered evidence of North Korea’s interest in bitcoin since at least since 2013, when multiple usernames originating from a North Korean IP address were taking part in bitcoin research. At that time, the North Koreans were using proxies to mask their originating IP address, but occasionally, those proxies failed, and revealed North Korean actors’ true originating IP, which was the same North Korean IP used in previous cyber operations.

Given the current rise in bitcoin prices, CTU suspects that the North Korea’s interest in cryptocurrency remains high and is likely continuing its activities surrounding the cryptocurrency. A number of recent intrusion activities against several bitcoin exchanges in South Korea have been tentatively attributed to North Korea. CTU researchers assess that the North Korean threat against cryptocurrency will remain elevated in the foreseeable future.

The Elements of the NICKEL ACADEMY (Lazarus) Spearphishing Campaign

Upon opening the word attachment in the phishing email, the victim is presented with a pop-up message encouraging the user to accept the ‘Enable Editing’ and ‘Enable Content’ functions. (Figure 1)  The email contains a Microsoft Word document with an embedded malicious macro that, when enabled, creates a separate decoy document (the CFO Job Lure), that is shown to the recipient (Figure 2).   It then installs a first-stage Remote Access Trojan (RAT) in the background that the malicious document is configured to deliver. Once the RAT is installed on the victim’s computer, the threat actors can download additional malware at any time.

Figure 1:  The pop-up message, which immediately appears on a targets’ computer screen once the spearphishing email is clicked on.  

Figure 2: The CFO job lure presented to victims upon enabling content (macros) within the word document.

The job description for a CFO at a European-based Bitcoin company used in the lure document is similar to the LinkedIn profile of a Chief Financial Officer of an actual cryptocurrency company in the Far East. Despite using an actual company name in the lure, CTU researchers have no evidence to conclude that any identified company in the lure is the subject of a targeted operation.

It is likely that the threat actors conducted reconnaissance and simply copied and pasted from open source to craft their lure. CTU researchers have observed NICKEL ACADEMY (Lazarus) copying and pasting job descriptions from online recruitment sites in previous campaigns.  In previous rounds of phishing, the job postings in the lure documents contained the same typos as the source that they had been taken from.  In this campaign, minor edits appear to have been made to the text to improve readability.

Campaign Indicators Pointing to NICKEL ACADEMY (Lazarus) Group

There are several indicators, which have led CTU researchers to believe with high confidence that NICKEL ACADEMY is behind the current spearphishing campaign.  The researchers found that there are common elements in the macro and in the first- stage RAT used in this campaign, with former campaigns of the NICKEL ACADEMY (Lazarus) threat group.  CTU researchers also identified components in the custom C2 protocol being used (the way in which the malware talks to the Command and Control Servers)   which they have seen utilized by Nickel Academy (Lazarus) previously.  These give solid technical linkages to previous Nickel Academy (Lazarus) malware and operations.

How Employees of Cryptocurrency Companies Can Protect Themselves

  • Cryptocurrency companies should implement social engineering training for employees on a continuous basis, teaching them about the latest cyber threats and reminding them not to open attachments or links from unknown sources ,and even if they do know the sender verify with the sender before opening.
  • Organizations should consider implementing an Advanced Malware Protection and Detection solution which can sandbox email attachments and webs links, determining if they are malicious, before they are passed on to employees.
  • Disable macro in word documents coming from external sources to your organization.
  • Implement two- factor authentication around all your key systems.  


See for yourself: Request your demo to see how Taegis can reduce risk, optimize existing security investments, and fill talent gaps.