Finance

North Korean hackers are targeting cryptocurrency workers with a fake job advert

North Korea's leader Kim Jong Un is seen as the newly developed intercontinental ballistic rocket Hwasong-15's test was successfully launched, in this undated photo released by North Korea's Korean Central News Agency (KCNA) in Pyongyang November 30, 2017.North Korea’s leader Kim Jong Un is seen as the newly developed intercontinental ballistic rocket Hwasong-15’s test was successfully launched, in this undated photo released by North Korea’s Korean Central News Agency (KCNA) in Pyongyang November 30, 2017.REUTERS/KCNA

  • Cybersecurity firm Secureworks discovers malware in fake bitcoin job advert email.
  • Coding suggests that North Korea’s Lazarus Group is behind the attack.
  • Unclear what the aim of the attack is or how many people have been targeted.


LONDON — North Korean hackers are targeting people in the cryptocurrency industry using phishing emails.

Cybersecurity company Secureworks discovered a fake job advert email supposedly from a “prominent bitcoin company” headquartered in the UK that installs malware on people’s computers when opened. It’s not clear whether the hack is intended to steal information or any bitcoin owned by people who open the email.

Rafe Pilling, a senior security researcher at Secureworks, told Business Insider the coding of the attack bore hallmarks of the Lazarus Group, an infamous group of North Korean hackers linked to the WannaCry ransomware campaign and the theft of $81 million from Bangladesh’s central bank.

The attack involves an email sent to people supposedly advertising a job as the chief financial officer of a fast-growing UK-headquartered cryptocurrency startup. Secureworks is not naming the startup in question.

When people open the email, they are presented with a pop-up about an attached word document. After clicking on the document, recipients are presented with a word document of the fake job ad. But in the background, a “Remote Access Trojan” malware is installed. image001 (3)The pop-up that appears when people open the phishing email.Secureworks

“The malware that’s downloaded is the first stage RAT that gives them basic systems survey capability and the ability to download further malware if they find they’ve landed an interesting target,” Pilling told BI.

‘We’re not talking about five people in a room’

Pilling, who is part of Secureworks’ Counter Threat Unit, said the attack was likely state-sponsored.

“North Korea is perhaps unique in that there’s such tight control over all forms of communication,” he said. “We don’t believe there’s anything that state organised cyber activity that comes out of that country. We would see it as having some degree of state direction or state approval.”

He added: “There’s a significant capability behind this threat actor — we’re not talking about five people in a room.”

The Lazarus Group has used similar attacks to target staff in the defence industry in a bid to gain knowledge about missiles. The move toward bitcoin is relatively new, Pilling said.

“For us, the interesting thing is the shift to bitcoin. The interest in cryptocurrency aligns with anecdotal evidence we’ve seen from others sources and our own research.”image002 (1)The text of the fake job advert.Secureworks

North Korean hackers stole about 100 million Korean won, or $88,000, worth of bitcoin from South Korean exchanges every month from 2013 to 2015, according to Yonhap News Agency. Security researchers FireEye said earlier this year that North Korean hackers have shown increasing interest in bitcoin over the last two years.

Pilling said: “There’s definitely a pattern over the past two years of an interest in stealing money from banks, potentially collecting bitcoins through extortion using ransomware, and then potentially stealing it from bitcoin exchanges. There’s really nothing off the table when it comes to these threat actors.”

Secureworks discovered the phishing attack on a database of malware attacks that it monitors. As a result, it is not sure how many people have been targeted, how successful it has been, or if it has been used at all.

But Pilling said: “I would suspect that this lure would have been used in one mail shot and they’ll probably move on to something else, although they’ll use the same macro [the malicious code].

“The group, in general, is very active and continuously active. We only see glimpses of the overall operation and this is just one fragment of multiple different things that are coming out of cyber operations we associate with North Korea.”

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Popular

To Top