Lazarus Hacking Group May Be Behind VHD Ransomware

The group has resurfaced once again with a malicious program designed to extort money from its victims

Computer security firm Kaspersky Lab today warned Windows, Linux, and macOS users that Lazarus, a notorious hacking group allegedly operating from North Korea, has debuted a multipurpose malware framework, called MATA, to target their machines.

Lazarus is believed to be responsible for major online attacks, including the $80 million Bangladesh cyber bank heist and 2014’s Sony Pictures hack.

The Most Diverse Audience to Date at FMLS 2020 – Where Finance Meets Innovation

The group has resurfaced once again with the so-called VHD ransomware – a malicious program designed to extort money from its victims, which stood out due to its self-replication method.

The malware campaign was uncovered by Kaspersky, which also noted that the new malware was used in two separate attacks this spring. The Russian company says the latest attacks are different from other Lazarus phishing operations, using novel code to infect machines.

Suggested articles

Gold Rush: Why the Yellow Metal is Trading at All-Time HighsGo to article >>

The newest Lazarus campaign was first spotted after it had successfully compromised some businesses in Europe, though it did not give many hints as to who was behind it. The researchers then discovered a second VHD ransomware campaign between March and May 2020, which provided a complete picture of the infection chain and enabled them to link the ransomware to Lazarus.

Hackers cash in on crypto euphoria

“Among other things –and most importantly – the attackers used a backdoor, which was a part of a multiplatform framework called MATA, which Kaspersky recently reported on in-depth and is linked to the aforementioned threat actor due to a number of code and utility similarities,” Kaspersky said.

Most alarmingly, though, is that the VHD ransomware, which encrypts the personal documents found on the victim’s computer, is self-spreading. This malware’s use of a spreading utility, compiled with victim-specific credentials, was reminiscent of APT campaigns. It then displays a message which offers to decrypt the data if payment in Bitcoin is made with the instructions are placed on the victim’s desktop in the HowToDecrypt.txt text file.

Kaspersky further explains: “While the actor behind the attacks was not determined, Kaspersky researchers have now linked the VHD ransomware to Lazarus with high confidence, following analysis of an incident where it was used in close conjunction with known Lazarus tools against businesses in France and Asia.”

The report goes on to say that cryptocurrency holders should be especially careful because it is almost impossible to recover any stolen money. Not helping matters were previously known holes in several Bitcoin exchanges, for which Kaspersky‎ had issued patches, which made the hackers’ jobs easier.

Got a news tip? Let Us Know