Connect with us

Hi, what are you looking for?


North Korean hackers used GDPR-themed LinkedIn lure to pwn cryptocurrency sysadmin, says F-Secure • The Register


Infosec biz F-Safe has uncovered a North Korean phishing marketing campaign that focused a sysadmin with a faux Linkedin job advert utilizing a Normal Knowledge Safety Regulation (GDPR) themed lure.

The sysadmin labored for a cryptocurrency enterprise, mentioned the risk intel agency, which made him a ripe goal for the money-hungry state hackers Lazarus Group, aka APT38, supposedly backed by North Korea.

“Our analysis, which included insights from our incident response, managed detection and response, and tactical defence models, discovered that this assault bears numerous similarities with recognized Lazarus Group exercise, so we’re assured they have been behind the incident,” mentioned F-Safe’s director of detection and response, Matt Lawrence.

North Korean attackers focused “organizations within the cryptocurrency vertical” primarily based in Britain, the US, the Netherlands, Germany, Singapore, Japan, and a minimum of eight different nations, mentioned F-Safe.

The preliminary lure was a malware-infected file despatched as an attachment to a LinkedIn message, urging the sysadmin recipient to open it for particulars of an thrilling new job. As soon as opened, the file displayed this:

North Korean hackers used GDPR-themed LinkedIn lure to pwn cryptocurrency sysadmin, says F-Secure • The Register

The GDPR-themed lure deployed by North Korea’s Lazarus Group

“As could be seen within the [above] picture, the malicious model of the doc claimed to be protected by Normal Knowledge Safety Regulation (GDPR) and that content material wanted to be enabled in Phrase to entry the doc. The enablement of content material would then consequence within the malicious embedded macro code to execute,” mentioned F-Safe.

Malicious recordsdata downloaded after the macro was run bore similarities to earlier APT38 instruments uncovered by Russia’s Kaspersky Lab in 2016.

“Lazarus Group invested vital effort to evade the goal group’s defences in the course of the assault, corresponding to by disabling anti-virus software program on the compromised hosts, and eradicating proof of their malicious implants. And whereas the report describes the assault as subtle, it factors out Lazarus Group’s efforts to cover their presence weren’t sufficient to stop F-Safe’s investigation from recovering proof of their actions,” mentioned F-Safe in a canned assertion.

Lazarus Group is well-known for focusing on monetary establishments to be able to siphon a refund to North Korea, whose financial system has stagnated for many years underneath Western-led sanctions meant to influence the Communist dictatorship to not develop nuclear weapons.

In 2014 the state-backed hackers focused Sony Footage, stealing delicate inner recordsdata; in 2016 they stole $81m from a Bangladeshi financial institution; a 12 months later it was revealed they have been focusing on every little thing from casinos to software program devs engaged on monetary software program; and final 12 months they went fully past the pale by deploying in-memory malware for macOS. The group can also be thought to have been behind the Wannacry malware that briefly crippled Britain’s Nationwide Well being Service.

The crew is well-known for utilizing social engineering lures to deploy its malware, in addition to for leaving such apparent clues to their identification that infosec researchers often marvel in the event that they’re seeing a false flag assault. ®

You May Also Like


Introduction In previous articles we have talked about images of dockers, the origin and functioning of dockers and the dockers’ hub. In this document...


Linux desktops are good in many ways, but like Windows they are not known as the most efficient battery. This does not mean that...


The United States Supreme Court has indicated that it will finally solve a problem that has been causing legal problems for almost two decades:...


To secure your AWS assets, follow these AWS Identity and Access Management (IAM) guidelines. Locking the Root User Access Key for AWSAccount You use...