Research from AlienVault suggests that the Lazarus group, linked to North Korea, is behind several recent attacks on cryptocurrency exchanges.
Analysis of a series of documents using Lazarus-linked malware Manuscrypt indicates that the group has been targeting members of a recent G20 Financial Meeting, and may have been behind the recent theft of approximately $30 million in cryptocurrencies from Bithumb.
State-sponsored hacking group Lazarus has a history of running large-scale ‘cyber heists’, and is believed to have been behind the $81 million cyber heist from the Bangladesh Bank in 2016.
Earlier this year, it was observed targeting an online casino in Central America, and in 2017 was linked to thefts from several cryptocurrency exchanges – including a theft of $7 million from Bithumb.
The three documents analysed by AlienVault are filetypes used by Hangul Word Processor (HWP), a South Korean word processor.
Two of the decoy documents purport to be related to the G20 International Financial Architecture Working Group Meeting, while the third is a fake resume.
The files contain malicious postscript code designed to download the Manuscrypt malware.
Reports from Korean researchers indicate that malicious HWP files, including faked CVs, were involved in the beginning of the Bithumb attack around May and June. These reports also implicate Lazarus in the attacks.
AlienVault also notes reports earlier this month of very similar malicious HWP documents being used by Lazarus to target South Korean cryptocurrency users.
“Whilst we can’t be certain this malware is responsible for the thefts from Bithumb, it seems a likely suspect,” said the AlienVault researchers.