In November 2017, Secureworks Counter Threat Unit (CTU) researchers discovered the North Korean cyber threat group, known as Lazarus Group and internally tracked as NICKEL ACADEMY by Secureworks, had launched a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company.
CTU researchers assess this as the continuation of activity first observed in 2016, and it is likely that the campaign is ongoing. This latest round of phishing appears to have been delivered around 25 October 2017.
Additionally, the CTU researchers have uncovered evidence of North Korea’s interest in bitcoin since at least 2013, when multiple usernames originating from a North Korean IP address were taking part in bitcoin research. At that time, the North Koreans were using proxies to mask their originating IP address, but occasionally, those proxies failed, and revealed North Korean actors’ true originating IP, which was the same North Korean IP used in previous cyber operations.
Given the current rise in bitcoin prices, CTU suspects that the North Korea’s interest in cryptocurrency remains high and is likely continuing its activities surrounding the cryptocurrency. A number of recent intrusion activities against several bitcoin exchanges in South Korea have been tentatively attributed to North Korea. CTU researchers assess that the North Korean threat against cryptocurrency will remain elevated in the foreseeable future.
The Elements of the NICKEL ACADEMY (Lazarus) Spearphishing Campaign
Upon opening the word attachment in the phishing email, the victim is presented with a pop-up message encouraging the user to accept the ‘Enable Editing’ and ‘Enable Content’ functions. (Figure 1) The email contains a Microsoft Word document with an embedded malicious macro that, when enabled, creates a separate decoy document (the CFO Job Lure), that is shown to the recipient (Figure 2). It then installs a first-stage Remote Access Trojan (RAT) in the background that the malicious document is configured to deliver. Once the RAT is installed on the victim’s computer, the threat actors can download additional malware at any time.