Delaware, USA – February 15, 2018 – The infamous North Korean hacker group Lazarus performs a new APT campaign dubbed HaoBao. Analysts from McAfee ATR discovered a never-before-seen sample of malware, the analysis of which allowed them to link the attack with Lazarus group. The HaoBao campaign directed against large banks and cryptocurrency users. Attackers use spear phishing masking malicious emails as employee recruitment. It is noteworthy that emails contain URL to the Dropbox account where the malicious Word documents are stored. Documents run a Visual Basic macro that drops executable file on the compromised system. If the infection was successful, the macro provides persistence by modifying the Windows registry. The malware collects data, encrypts it and exfiltrates to the attacker’s C&C servers via HPPT POST requests. The first samples of malware are dated January 15, 2018. Attackers continue to modify malware to avoid detection by antivirus solutions.
Spear phishing remains the most effective method of delivering malware in APT campaigns. You can detect attempts to modify the registry to ensure persistence with your SIEM and Windows system service Sysmon. Sysmon Framework for ArcSight helps spot APT in the early stages of an attack and minimize its impact.