Lazarus APT hackers leverages HWP Documents in a recent string of attacks

Pierluigi Paganini June 26, 2018

Security researchers at AlienVault uncovered a series of cyber attacks on cryptocurrency exchanges leveraging weaponized Hangul Word Processor HWP documents (Hangul Word Processor documents).

The string of attacks involving the HWP documents has been attributed to the North Korea-linked Lazarus APT group, and includes the hack of the South Korean virtual currency exchange Bithumb. The hackers managed to steal roughly $32 million worth of cryptocurrencies, it was the second security breach suffered by the cryptocurrency exchange that caused the shutdown of the service. The first attack was also attributed to the Lazarus APT group.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.  Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

Recently the group hit several banks in Latin America stealing tens of millions of dollars.

Earlier this month, experts at AlienVault reported that Lazarus APT has been leveraging an ActiveX zero-day vulnerability in attacks on South Korean targets.

A couple of days ago, experts at Alien Vault discovered a series of weaponized documents to target members of a recent G20 Financial Meeting.

“One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the economic policies between the wealthiest countries. Another is reportedly related to the recent theft of $30 million from the Bithumb crypto-currency exchange in South Korea.” reads the analysis published by Alien Vault.

The HWP documents used in recent attacks include a malicious postscript code that downloads the second stage malware (either a 32 or 64 bit version of Manuscrypt).

lazarus hwp documents

Reports published by South Korean organizations suggest the cyberheist form Bithumb leverages malicious HWP files and started earlier in May and June. The documents involved fake resumes and are linked to previous attacks by Lazarus.

“A report by a South Korean news organisation into the investigation by a South Korean security company into the thefts shows some very familiar looking malware samples that were sent to cryptocurrency organisations” continues Alien Vault.

“Whilst we can’t be certain this malware is responsible for the thefts from Bithumb, it seems a likely suspect,” 

According to the experts, malicious HWP documents from Lazarus have been reportedly targeting crypto-currency users in South Korea in June.

The attackers are also launching phishing campaigns against the users of the exchange, the Lazarus APT registered a number of cryptocurrency phishing domains, this is an anomaly considering that hackers compromised legitimate sites in past attacks. The hackers used the same phone number as a domain (itaddnet[.]com).

“It’s clear that the thefts from Lazarus won’t stop anytime soon given the gains available – the (partially successful) attempt to steal $1 billion dollars from the Bank of Bangladesh represents 3% of North Korea’s reported GDP. Thefts from South Korean organisations have the double impact of weakening their closest competitor.”  concluded AlienVault

Further details, including IoCs are reported in the analysis published by AlienVault.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Lazarus APT, HWP Documents)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment