Lazarus Group from North Korea Attacks with Manuscrypt-Tainted Documents

A cyber-criminals' syndicate named Lazarus Group reported to be located in North Korea has been found targeting South Korea in the neighborhood with malware tainted files. The files, which AlienVault's experts and researchers of South Korea reviewed, are packed with Manuscrypt malware working to be the ultimate payload.

The files got detected first in South Korea. A particular one is posed to be a document of the G20 International Financial Architecture Working Group Meeting, while it seemingly targets the delegates meeting for discussion on the economic policies and frameworks adopted among the globally richest superpowers. One other file apparently associates with the USD31.5m heist from digital currency exchange namely Bithumb.

AlienVault researchers' analysis of the sample files seemed as HPW (Hangul Word Processor)documents that's one document editor in South Korea. The samples consisted of tainted postscript code for taking down a 64-bit else 32-bit edition of the subsequent phase. As per Hybrid Analysis, the malware tainted file about the specified G20 Group Meeting contained the capability of questioning CPU information as well as of registering one high-profile exception handler. One more file recognized as malicious happened to be certain decoy resume. Infosecurity-magazine.com posted this, June 25, 2018.

The association of Manuscrypt malware with Lazarus Group isn't unknown. The syndicate apparently as well utilized the malware during attacks with "Advanced Persistent Threats" to victimize banking network SWIFT, and financial institutions. With the latter target, Manuscrypt worked via hunting internal network to locate particular hosts that dealt with SWIFT. For that, Manuscrypt brought to action the file-sharing utility NamedPipe for searching internally divided network's data followed with dispatching the same onto the CnC (command-and-control) system.

Indicating that the cyber-criminals aren't just serving malicious software but even using phishing tactics to capture credentials, researchers contend that should these attacks be associated with Lazarus, the syndicate does not seem to diminish its activity. It is said that Lazarus has been behind many assaults against banks from which it has been garnering considerable sums. Generally, Lazarus chooses hijacking authorized online sites; therefore, the current attack can be described as unusual in case it's truly from the members of the group.

» SPAMfighter News - 7/3/2018