Lazarus is a cybercrime group of an unknown number of individuals, which is not much known about, but the researchers believe that there is a large number of cyber attacks undertaken by the group, including WannaCry attack.
The representatives of Recorded Future, a system which automatically serves up relevant insights in real time and at unparalleled scale with its own patented technology, have published a report on January 16 linking the Lazarus Group to attacks on cryptocurrency Bitcoin and Monero users mostly in South Korea.
— Recorded Future (@RecordedFuture) 18 January 2018
The report states that Lazarus Group has continued to attack South Korean cryptocurrency exchanges and users in late 2017, and this campaign also targeted South Korean college students interested in foreign affairs and part of a group called “Friends of Ministry of Foreign Affairs".
Lazarus Group in the Recorded Future
Moreover, it was reported that the malware used shared code with Destover malware, which was used against Sony Pictures Entertainment in 2014 and the first WannaCry victim in February 2017.
As it was also stated in a report, the dropper of the attack exploited the Ghostscript vulnerability, CVE-2017-8291, and also the tactic of spear-phishing lures containing a malware which were sent to South Korean students and users of exchanges like Coinlink. If the user opened the malware it stole their email addresses and passwords.
This late-2017 campaign is a continuation of North Korea’s interest in cryptocurrency, which we now know encompasses a broad range of activities including mining, ransomware, and outright theft.
Recorded Future report
In general, Lazarus Group and North Korean hackers are blamed for $ 7 million theft from Bithumb in February 2017 and 17% of Youbit exchange assets stolen by cyber attacks following an earlier attack in April 2017.