# Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies **[intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/](http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/)** March 28, 2018 ## Blog ### Cybersecurity DNA Introduction Cyber attacks from the Lazarus Group, a threat actor associated with North Korea, has not slowed down and their malware toolset continues to evolve. A few months ago, we published a general research of the Lazarus Group and the Blockbuster campaign including code reuse and similarities throughout their malware up until the latest news regarding targeting bitcoin and cryptocurrency exchanges. In recent attacks, the Lazarus Group has been spreading malicious documents with a RAT embedded inside that gets executed through a VBA macro. These malicious documents contained a job description for different positions in various industries. Through our research, we came across a new malicious document where we have found changes and a continuation to their campaign targeting potential cryptocurrency exchanges, FinTech, financial companies, and others who might be involved with cryptocurrencies. The malicious document came embedded with an upgraded and revamped version of a RAT they have added to their arsenal. ### Infection Vector The malicious document’s original creation name is “Investment Proposal.doc” and attempts to impersonate an employee of an Australia based law firm for commercial and financial services ----- cryptocurrencies and they have put together an investment proposal aimed at FinTech, financial, and other companies who might be interested in taking an investment. As can be seen in the photos of the document below, the document is of very low quality, meaning there are inconsistencies and typos everywhere in a document supposedly from a law firm. The first page contains a basic description of what the investment proposal involves. Take note ----- The second page is a general description of the company Holley Nethercote which is directly [taken from the first page of a PDF on the company’s website.](https://www.hnlaw.com.au/site/DefaultSite/filesystem/documents/2017/Combined NEW HN-Compact-Fact Sheet 2017-12-20.pdf) ----- The third page is a list of their employees and staff as can also be found on their [website. Remember Kate Harris, the director, from before? Shockingly enough, she does not](https://www.hnlaw.com.au/people) exist on this list. ----- The fourth page contains a chart of various cryptocurrencies and random values associated with them. The interesting point here is the date of a Bitcoin price that it mentions from February 9th, 2018 which helps us put on a timeline of when this malicious document was originally created. ----- The fifth page states how they would like to invest $50M in the company that received this document and contains some typos like “out” instead of “our” and other grammatical errors. ----- The sixth page is a very poorly written document supposedly signed by the CEO of Holley Nethercote involving the investment proposition. It also contains various typos and grammatical errors with the general flow not making sense. ----- The seventh and last page contains some fake contact information including a phone number from the UK that is from an online service that allows you to receive an SMS through the website. ### Technical Details Upon launching the document, an obfuscated VBA macro is executed to drop and execute an embedded remote access tool. ----- (embedded VBA macro) The embedded RAT is dropped to and executed from %USERPROFILE%\RuntimeBroker.exe. More evidence besides the date in the content of the document, pointing to this malware out in February is that we can also see the compilation timestamp is from February 14, 2018 and the upload date was on March 2, 2018. After uploading the RAT to Intezer Analyze™, we found 4% of the code to have been used in previous malware attributed to the Lazarus group, but 85% of the code base is completely unique. This says to us that they made some changes to their code. [(https://analyze.intezer.com/#/analyses/ffb3993e-d646-42ad-8449-104d751cc17b)](https://analyze.intezer.com/#/analyses/ffb3993e-d646-42ad-8449-104d751cc17b) The first code that gets executed within the RAT first decrypts a locally created, XOR encrypted buffer of names of modules and imports that it resolves via GetProcAddress. ----- Next, the RAT creates a shortcut of itself to %USERPROFILE%\Start _Menu\Programs\Startup\RuntimeBroker.lnk in order to maintain persistence and sets the_ attributes of itself using SetFileAttributesW to HIDDEN | SYSTEM | NORMAL. Inside of the function that is used for setting up the persistence, we can find a call to a function that is responsible for decrypting a buffer containing multiple wide strings used throughout the binary. ----- As can be seen in the function, it uses a very basic decryption routine to decrypt the locally stored buffer. The decrypted buffer is as follows: ----- The parameter to the function responsible for decrypting this buffer is an offset to grab a string from this decrypted buffer by multiplying it by two, since these are wide strings. Strangely enough, a lot of these strings are not used anywhere in the binary. By the strings, you can see there is an intention of including a simple anti-VM technique to detect VirtualBox. There is also one more function located within the binary, responsible for the same functionality with a different buffer containing different strings. Following all of this, the RAT then creates a backdoor which then waits to receive commands from the various C&C servers. ----- The C&C handler used to follow a pattern of command IDs but it appears to have changed to random command values and contains commands with new functionality. Their handler is able to handle 22 different commands and the descriptions of each can be found in the chart below. #### Command ID #### Functionality 0xF4004A Execute cmd.exe and output results to temp file or retrieve CD via _GetCurrentDirectoryW._ Cmd.exe /c “ > ” 2>&1 0x460017 Collect various information about the hard drive such as the space and volume information 0x7C00E6 Collect various information about the computer such as the computer name, username, host name, and more. 0x6400E5 Creates new process via CreateProcessW 0xBE007B Collect data about running processes by traversing the process list via _CreateToolhelpSnapshot32 related APIs_ 0x8500AF Terminates a process by name 0xC004B Gets specific file(s) data such as filenames, times, and attributes 0xD7007C Collects a file and sends it to the C&C 0x3300E2 Zips file(s) to temp and sends archive to C&C 0x9D00B0 Write a file received from the server 0x200DF Write a 5mb file with random bytes ----- 0x6C00AE Overwrites entire file(s) contents with 0xCC and then deletes the file 0xFD0013 Recursively traverse directory collecting file information 0x3C00AB Checks if socket write access is valid to a given address 0x4B00E3 Sets file(s) time via _SetFileTime_ 0xE50012 Configuration 0x5400AC Updates socket configuration 0x1B00E1 Renames file and sets attributes 0x750077 Elevate process privileges 0xCC0010 Inject code received by server into process 0x150014 Pong response to ping The binary uses wolfSSL to encrypt the network traffic containing two different certificates and one private key. The certificates are stored in a local buffer of a function located within the binary. -----BEGIN CERTIFICATE---- MIIDYjCCAkqgAwIBAgIIAT8TuSzaBG4wDQYJKoZIhvcNAQELBQAwZjELMAkGA1UE BhMCVVMxGTAXBgNVBAoMEEdsb2JhbFNpZ24gbnYtc2ExPDA6BgNVBAMMM0dsb2Jh bFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0EgLSBTSEEyNTYgLSBHMjAi GA8yMDE3MDkyNDA3MDMzOFoYDzIwMTkwMjA3MDcwMzM4WjBmMQswCQYDVQQGEwJV UzEZMBcGA1UECgwQR2xvYmFsU2lnbiBudi1zYTE8MDoGA1UEAwwzR2xvYmFsU2ln biBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBDQSAtIFNIQTI1NiAtIEcyMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRCW804H0ryTXUQ8bY1 n9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3Jcncy6sqQu2lSEAMv qPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2nonqNOCkcrMft8nyV sJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4fcnlwtfaQG/YIdxz G0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1oGP1Vi+jJtK3b7Fa F9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zYKLNLve02eQIDAQAB oxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA261N1CtZuZ4Mf ----- Q qq qj q q j y q H1LVp6ToJ+lYA0QoCxkMqe6jCWE5K8QefM/kx8WhROJTdHHUKjFXFmon/fIJUAxo SesxW3+YPeY7zzBUIjh0lYMhiyvXMDIMLo9zewR2nfi3aAa+APwAulTjm46dbH4K cn7jc8IOt954R5jakc0AhtSZUHlPqKKHZy19iDfpcoFA7L/WuiNkfYPvN6eaxAvA b3dxfi8N -----END CERTIFICATE---- -----BEGIN CERTIFICATE---- MIIDgTCCAmmgAwIBAgIIAUyTG93zLTEwDQYJKoZIhvcNAQELBQAwZjELMAkGA1UE BhMCVVMxGTAXBgNVBAoMEEdsb2JhbFNpZ24gbnYtc2ExPDA6BgNVBAMMM0dsb2Jh bFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0EgLSBTSEEyNTYgLSBHMjAi GA8yMDE3MDkyNDA3MDUyMVoYDzIwMTkwMjA3MDcwNTIxWjCBljELMAkGA1UEBhMC VVMxEDAOBgNVBAgMB05ld1lvcmsxEzARBgNVBAcMClJpdmVyIFZpZXcxIzAhBgNV BAoMGldpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMuMRgwFgYDVQQDDA8qLndpa2lw ZWRpYS5vcmcxITAfBgkqhkiG9w0BCQEWEmluZm9Ad2lraXBlZGlhLm9yZzCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2q KlIHR9amNrIHMo7Quml7xsNEntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEe e5sDR5q/Zcx/ZSRppugUiVvkNPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0Ybf N1EbDKE79fGjSjXk4c6W3xt+v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaD uh5AciIX11JlJHOwzu8Zza7/eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbb bfqsu/8lTMTRefRx04ZAGBOwY7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEA ATANBgkqhkiG9w0BAQsFAAOCAQEAGjef4dfuIkF7MdfLs4x5KqzM4/5+h1lS+SWS ojTaAuH2++1pGgVV4vfGB9QVxoTDkcp5wWjw184x+P19Fjio+ucUUOmFmD7BERXX V4NZMv/TwucAbRIb6/FRv13Koigi05tIhXesownpbMZq7p6I9P9GAd/Uu7XCMTPO UHpuTtNoI+tjwwBhZK0XXp5ORdHKWbXfLXQgiCXLPJntKdrRnUzJpXvYQzTeZKxf ----- p g g p -----END CERTIFICATE---- -----BEGIN RSA PRIVATE KEY---- MIIEpAIBAAKCAQEAwwPRK/45pDJFO1PIhCsqfHSavaoqUgdH1qY2sgcyjtC6aXvG w0Se1IFI/S1oootnu6F1yDYsStIb94u6zw357+zxgR57mwNHmr9lzH9lJGmm6BSJ W+Q098WwFJP1Z3s6enjhAVZWkaYTQo3SPECcTO/Rht83URsMoTv18aNKNeThzpbf G36/TpfQEOioCDCBryALQxTFdGe0MoJvjYbCiECZNoO6HkByIhfXUmUkc7DO7xnN rv94bHvAEgPUTnINUG07ozujmV6dyNkMhbPZitlUJttt+qy7/yVMxNF59HHThkAY E7BjtXJOMMSXhIYtVi/XFfd/wK71/Fvl+6G60wIDAQABAoIBAQCi5thfEHFkCJ4u bdFtHoXSCrGMR84sUWqgEp5T3pFMHW3qWXvyd6rZxtmKq9jhFuRjJv+1bBNZuOOl yHIXLgyfb+VZP3ZvSbERwlouFikN3reO3EDVou7gHqH0vpfbhmOWFM2YCWAtMHac PM3miO5HknkLWgDiXl8RfH35CLcgBokqXf0AqyLh8LO8JKleJg4fAC3+IZpTW23T K6uUgmhDNtj2L8Yi/LVBXQ0zYOqkfX7oS1WRVtNcV48flBcvqt7pnqj0z4pMjqDk VnOyz0+GxWk88yQgi1yWDPprEjuaZ8HfxpaypdWSDZsJQmgkEEXUUOQXOUjQNYuU bRHej8pZAoGBAOokp/lpM+lx3FJ9iCEoL0neunIW6cxHeogNlFeEWBY6gbA/os+m bB6wBikAj+d3dqzbysfZXps/JpBSrvw4kAAUu7QPWJTnL2p+HE9BIdQxWR9OihqN p1dsItjl9H4yphDLZKVVA4emJwWMw9e2J7JNujDaR49U0z2LhI2UmFilAoGBANU4 G8OPxZMMRwtvNZLFsI1GyJIYj/WACvfvof6AubUqusoYsF2lB9CTjdicBBzUYo6m JoEB/86KKmM0NUCqbYDeiSNqV02ebq2TTlaQC22dc4sMric93k7wqsVseGdslFKc N2dsLe+7r9+mkDzER8+Nlp6YqbSfxaZQ3LPw+3QXAoGAXoMJYr26fKK/QnT1fBzS ackEDYV+Pj0kEsMYe/Mp818OdmxZdeRBhGmdMvPNIquwNbpKsjzl2Vi2Yk9d3uWe CspTsiz3nrNrClt5ZexukU6SIPb8/Bbt03YM4ux/smkTa3gOWkZktF63JaBadTpL 78c8Pvf9JrggxJkKmnO+wxkCgYEAukSTFKw0GTtfkWCs97TWgQU2UVM96GXcry7c YT7Jfbh/h/A7mwOCKTfOck4R1bHBDAegmZFKjX/sec/xObXphexi99p9vGRNIjwO ----- g j j Q Q Q y f1/qiqs/2Spe81HSwjA34y2jdQ0eTSE01VdwXIm/cuxKbmjVzRh0M06MOkWP5pZA 62P5GYY6Ud2JS7Dz+Z9dKJU4vjWrylznk1M0oUVdEzllQkahn831vw== -----END RSA PRIVATE KEY---- ### Conclusion As we can see, the Blockbuster campaign and the Lazarus group are still active and have shown a continued interest in cryptocurrencies and companies surrounding cryptocurrency. Numerous exchanges are believed to have been hacked by the Lazarus group and there has been a significant amount of money stolen by doing so. Since their efforts have been so successful, it does not look like they will slow down anytime soon with these types of targets. ### IoCs Malicious Document – 6b424d75445b3dabfb9b20895d0a1ce1430066ce7f3fcd87aa41fa32260ff92d [RAT – f8b329fc1f4d50f5509a72c1f630155538f4d2c6e49b80ce4841fada6547c4bd](https://analyze.intezer.com/#/analyses/ffb3993e-d646-42ad-8449-104d751cc17b) ### C&Cs 182.56.5.227 222.122.31.115 66.99.86.8 210.61.8.12 62.215.99.90 By Jay Rosenberg Jay Rosenberg is a self-taught reverse engineer from a very young age (12 years old), specializing in Reverse Engineering and Malware Analysis. Currently working as a Senior Security Researcher in Intezer. Share: ## Register to our free community [Try it now](https://analyze.intezer.com/) ----- -----