{"id":84373,"date":"2018-02-12T07:30:32","date_gmt":"2018-02-12T15:30:32","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=84373"},"modified":"2025-06-02T18:43:12","modified_gmt":"2025-06-03T01:43:12","slug":"lazarus-resurfaces-targets-global-banks-bitcoin-users","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/","title":{"rendered":"Lazarus Resurfaces, Targets Global Banks and Bitcoin Users"},"content":{"rendered":"

This blog was written with support and contributions provided by Asheer Maholtra, Jessica Saavedra Morales, and Thomas Roccia.<\/em><\/p>\n

McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact.<\/p>\n

This new campaign, dubbed HaoBao, resumes Lazarus\u2019 previous phishing emails, posed as employee recruitment, but now targets Bitcoin users and global financial organizations. When victims open malicious documents attached to the emails, the malware scans for Bitcoin activity and then establishes an implant for long-term data-gathering.<\/p>\n

HaoBao targets and never-before-seen implants signal to McAfee ATR an ambitious campaign by Lazarus to establish cryptocurrency cybercrime at a sophisticated level.<\/p>\n

Background<\/strong><\/h2>\n

Beginning in 2017, the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents. The campaign lasted from April to October and used job descriptions relevant to target organizations, in both English and Korean language. The objective was to gain access to the target\u2019s environment and obtain key military program insight or steal money. The 2017 campaign targets ranged from defense contractors to financial institutions, including crypto currency exchanges, however; much of this fake job recruitment activity ceased months later, with the last activity observed October 22, 2017.<\/p>\n

Analysis<\/strong><\/h2>\n

On January 15th<\/sup> , McAfee ATR discovered a malicious document masquerading as a job recruitment for a Business Development Executive located in Hong Kong for a large multi-national bank. The document was distributed via a Dropbox account at the following URL:<\/p>\n

hxxps:\/\/www.dropbox.com\/s\/qje0yrz03au66d0\/JobDescription.doc?dl=1<\/p>\n

This is the mark of a new campaign, though it utilizes techniques, tactics and procedures observed in 2017. This document had the last author \u2018Windows User\u2019 and was created January 16, 2018 with Korean language resources. Several additional malicious documents with the same author appeared between January 16 though January 24, 2018.<\/p>\n

\"\"
Document summary from Virus Total<\/figcaption><\/figure>\n

 <\/p>\n

\"\"
Malicious job recruitment documents<\/figcaption><\/figure>\n


\n<\/em>Victims are persuaded to enable content through a notification claiming the document was created in an earlier version of Microsoft Word. The malicious documents then launch an implant on the victim\u2019s system via a Visual Basic macro.<\/p>\n

\"\"
Malicious Microsoft Word document<\/figcaption><\/figure>\n

 <\/p>\n

\"\"
Implants dropped in campaign<\/figcaption><\/figure>\n

The document (7e70793c1ca82006775a0cac2bd75cc9ada37d7c) created January 24, 2018 drops and executes an implant compiled January 22, 2018 with the name lsm.exe (535f212b320df049ae8b8ebe0a4f93e3bd25ed79). The implant lsm.exe contacted 210.122.7.129 which also resolves to worker.co.kr.Implants dropped in campaign<\/em><\/p>\n

The other malicious document ( a79488b114f57bd3d8a7fa29e7647e2281ce21f6) created January 19, 2018 drops the implant (afb2595ce1ecf0fdb9631752e32f0e32be3d51bb); which is 99% similar-to the lsm.exe implant.<\/p>\n

This document was distributed from the following Dropbox URLs:<\/p>\n

    \n
  • hxxps:\/\/dl.dropboxusercontent.com\/content_link\/AKqqkZsJRuxz5VkEgcguqNE7Th3iscMsSYvivwzAYuTZQWDBLsbUb7yBdbW2lHos\/file?dl=1<\/li>\n
  • hxxps:\/\/www.dropbox.com\/s\/q7w33sbdil0i1w5\/job description.doc?dl=1<\/li>\n<\/ul>\n
    \"\"
    HTTP response for job description document<\/figcaption><\/figure>\n

    This implant (csrss.exe) compiled January 15, 2018 contacts an IP address 70.42.52.80 which resolves to deltaemis.com. We identified that this domain was used to host a malicious document from a previous 2017 campaign targeting the Sikorsky program.<\/p>\n

      \n
    • hxxp:\/\/deltaemis.com\/CRCForm\/3E_Company\/Sikorsky\/E4174\/JobDescription.doc<\/li>\n<\/ul>\n

      A third malicious document (dc06b737ce6ada23b4d179d81dc7d910a7dbfdde) created January 19, 2018 drops e8faa68daf62fbe2e10b3bac775cce5a3bb2999e which is compiled January 15, 2018. This implant communicates to a South Korean IP address 221.164.168.185 which resolves to palgong-cc.co.kr.<\/p>\n

      McAfee ATR analysis finds the dropped implants have never been seen before in the wild and have not been used in previous Lazarus campaigns from 2017. Furthermore, this campaign deploys a one-time data gathering implant that relies upon downloading a second stage to gain persistence. The implants contain a hardcoded word \u201chaobao\u201d that is used as a switch when executing from the Visual Basic macro.<\/p>\n

      Malicious Document Analysis<\/strong><\/h2>\n

      The malicious document contains two payloads as encrypted string arrays embedded in Visual Basic macro code. The payloads are present as encrypted string arrays that are decrypted in memory, written to disk and launched in sequence (second stage malicious binary launched first and then the decoy document).<\/p>\n

      The VBA Macro code is self-executing and configured to execute when the OLE document (MS Word doc) is opened (via \u201cSub AutoOpen()\u201d). The AutoOpen() function in the VBA Macro performs the following tasks in the sequence listed:<\/p>\n

        \n
      • Decodes the target file path of the second stage binary payload. This file path is calculated based on the current user\u2019s Temp folder location:<\/li>\n<\/ul>\n

        <temp_dir_path>\\.\\lsm.exe<\/p>\n

        \"\"
        VB code to decrypt second stage filepath<\/figcaption><\/figure>\n
          \n
        • Decodes the second stage binary in memory and writes it to the %temp%\\.\\lsm.exe file location<\/li>\n<\/ul>\n
          \"\"
          second stage binary (MZ) as an encrypted String Array in the VBA Macro<\/figcaption><\/figure>\n
          \"\"
          second stage binary (MZ) decoded in memory by the VBA Macro<\/figcaption><\/figure>\n
            \n
          • After writing the second stage payload to disk the VBA code performs two important actions.\n
              \n
            • Runs the second stage payload using cmd.exe. This is done so that the cmd.exe process exists as soon as the payload is launched. This way a process enumeration tool cannot find the parent process => Smaller footprint.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

              cmdline for executing the second stage binary:<\/p>\n

              cmd.exe \/c start \/b <temp_dir_path>\\.\\lsm.exe \/haobao<\/p>\n

                \n
              • Adds persistence on the system by creating a shortcut in the user\u2019s Startup folder with the correct cmdline arguments:<\/li>\n<\/ul>\n

                Link file command line: <temp_dir_path>\\.\\lsm.exe \/haobao<\/p>\n

                Link File Name: GoogleUpdate.lnk<\/p>\n

                \"\"
                Trigger code for executing the second stage binary and establishing persistence<\/figcaption><\/figure>\n

                 <\/p>\n

                \"\"
                LNK file configuration for establishing persistence<\/figcaption><\/figure>\n
                  \n
                • Once the second stage payload has been launched, the VBA Macro proceeds to display a decoy document to the end user. This decoy document is also stored in the VBA Macro as an encrypted string array (similar to the second stage payload). The decoy document is again written to the user\u2019s temp directory to the following filename\/path:<\/li>\n<\/ul>\n

                  <temp_dir_path>\\.\\Job Description.doc<\/p>\n

                  \"\"
                  Decoy Document decoded in memory by the VBA Macro<\/figcaption><\/figure>\n
                    \n
                  • Once the decoy document has been written to disk, the VBA Macro sets its file attributes to System + Hidden<\/li>\n
                  • The decoy document is then opened by the malicious VBA Macro and the original malicious document\u2019s caption is copied over to the decoy document to trick the end user into mistaking the decoy document for the original (malicious) document.<\/li>\n
                  • This activity, combined with the fact that the VBA Macro then closes the current (malicious) document, indicates that the VBA Macro aims to trick an unsuspecting user into thinking that the decoy document currently open is the original (malicious) document opened by the user.<\/li>\n
                  • Since the decoy document is a benign file and does not contain any macros the victim does not suspect any malicious behavior.<\/li>\n<\/ul>\n

                    Implant Analysis<\/strong><\/h2>\n

                    As part of the implant initialization activities the implant does the following;<\/p>\n

                      \n
                    • Checks the string passed to it through command line\n
                        \n
                      • \u201c\/haobao\u201d in case of 535f212b320df049ae8b8ebe0a4f93e3bd25ed79<\/li>\n
                      • \u201c\/pumpingcore\u201d in case of e8faa68daf62fbe2e10b3bac775cce5a3bb2999e<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

                        If the malware does not find this string in its cmdline arguments, it simply quits without going any further.<\/p>\n

                          \n
                        • Unwraps a DLL into memory and calls its one-and-only import using Reflective DLL injection. DLL information.<\/li>\n<\/ul>\n

                          During our research, we discovered additional variants of the DLL file.<\/p>\n

                          \"\"

                          DLL information<\/figcaption><\/figure>\n

                           <\/p>\n

                            \n
                          • As part of Reflective DLL loading the malware performs the following tasks on the DLL it has unwrapped in memory:\n
                              \n
                            • Copy the unwrapped DLL into new locations in its own memory space.<\/li>\n
                            • Build imports required by the DLL (based on the IAT of the DLL)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
                              \"\"
                              Imports builder code in malware for the DLL imports<\/figcaption><\/figure>\n
                                \n
                              • Call the newly loaded DLL image\u2019s Entry Point (DllMain) with DLL_PROCESS_ATTACH to complete successful loading of the DLL in the malware process.<\/li>\n<\/ul>\n
                                \"\"
                                DLL Entry Point Call from malware to finish loading of the DLL in memory<\/figcaption><\/figure>\n
                                  \n
                                • Call the actual malicious export in the DLL named \u201cCoreDn\u201d<\/li>\n<\/ul>\n
                                  \"\"
                                  Hardcoded DLL export name \u201cCoreDn\u201d in malware<\/figcaption><\/figure>\n

                                  All the malicious activities described below are performed by the DLL unless specified otherwise.<\/p>\n

                                  Data Reconnaissance<\/strong><\/h2>\n

                                  The implant has the capability of gathering data from the victim\u2019s system. The following information will be gathered and sent to the command and control server.<\/p>\n

                                    \n
                                  • Computer name and currently logged on user\u2019s name, stored in the format<\/li>\n<\/ul>\n

                                    <ComputerName> \\ <Username><\/p>\n

                                    \"\"
                                    Malware obtaining the computer name and user name<\/figcaption><\/figure>\n
                                      \n
                                    • List of all processes currently running on the system arranged in format<\/li>\n<\/ul>\n

                                      <Process Name>\\r\\n<\/p>\n

                                      <Process Name>\\r\\n<\/p>\n

                                      <Process Name>\\r\\n<\/p>\n

                                      <Process Name>\\r\\n<\/p>\n

                                      \"\"
                                      Malware collecting process information from endpoint<\/figcaption><\/figure>\n
                                        \n
                                      • The presence of a specific registry key on the system<\/li>\n<\/ul>\n

                                        HKEY_CURRENT_USER\\Software\\Bitcoin\\Bitcoin-Qt<\/p>\n

                                          \n
                                        • The malware appends an indicator (flag) specifying whether the above registry key was found in the user\u2019s registry:<\/li>\n<\/ul>\n

                                          \"\"<\/p>\n

                                          This key is checked again as part of the command and control communication and is sent as a duplicate value to the command and control in the HTTP POST request as well (explained in the below).<\/p>\n

                                          \"\"
                                          Malware checking for the presence of the registry key<\/figcaption><\/figure>\n

                                          Exfiltration<\/strong><\/h2>\n

                                          Preparation<\/strong><\/h4>\n

                                          In preparation of the exfiltration of information collected from the endpoint, the malware performs the following activities:<\/p>\n

                                            \n
                                          • Encode the collected information using a simple byte based XOR operation using the byte key: 0x34.<\/li>\n
                                          • Base64 encode (standard) the XORed data.<\/li>\n
                                          • Again, check for the presence of the Registry Key: HKCU\\Software\\Bitcoin\\Bitcoin-Qt<\/li>\n<\/ul>\n

                                            \u00a0<\/strong><\/p>\n

                                            Command and Control Server Communication<\/strong><\/h4>\n

                                            Once the malware has performed all these activities it sends an HTTP POST request to the CnC server:<\/p>\n

                                              \n
                                            • www[dot]worker.co.kr for md5 BDAEDB14723C6C8A4688CC8FC1CFE668<\/li>\n
                                            • www[dot]palgong-cc.co.kr for md5 D4C93B85FFE88DDD552860B148831026<\/li>\n<\/ul>\n

                                               <\/p>\n

                                              In the format:<\/p>\n

                                              HTTP POST to www[dot]worker.co.kr<\/p>\n

                                              \/board2004\/Upload\/files\/main.asp?idx=%d&no=%s&mode=%s<\/p>\n

                                              OR<\/p>\n

                                               <\/p>\n

                                              HTTP POST to www[dot]palgong-cc.co.kr<\/p>\n

                                              \/html\/course\/course05.asp?idx=%d&no=%s&mode=%s<\/p>\n

                                              where<\/p>\n

                                              idx= 20 (14h) if the Registry key does not exist; 24 (18h) if the key exists.<\/p>\n

                                              no= XORed + base64 encoded \u201c<Computername> \\ <username>\u201d<\/p>\n

                                              mode= XORed + base64 encoded Process listing + Registry key flag<\/p>\n

                                              \"\"
                                              Command and control server domain<\/figcaption><\/figure>\n

                                              Persistence<\/strong><\/h4>\n

                                              The persistence mechanism of the malware is performed only for the downloaded implant. Persistence is established for the implant via the visual basic macro code initially executed upon document loading by the victim. This persistence is also performed ONLY if the malware successfully executes the downloaded implant. The malware first tries to update the HKEY_LOCAL_MACHINE registry key.<\/p>\n

                                              If the update is unsuccessful then it also tries to update the HKEY_CURRENT_USER registry key. Value written to registry to achieve persistence on the endpoint:<\/p>\n

                                              Registry Subkey = Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/p>\n

                                              Value Name = AdobeFlash<\/p>\n

                                              Value Content = “C:\\DOCUME~1\\<username>\\LOCALS~1\\Temp\\OneDrive.exe” kLZXlyJelgqUpKzP<\/p>\n

                                              \"\"
                                              Registry based persistence of the second stage payload<\/figcaption><\/figure>\n

                                              Connections to 2017 campaigns<\/strong><\/h3>\n

                                              The techniques, tactics and procedures are very similar to the campaigns that targeted US Defense contractors, US Energy sector, financial organizations and crypto currency exchanges in 2017.<\/p>\n

                                              The same Windows User author appeared back in 2017 in two malicious documents \ube44\ud2b8\ucf54\uc778_\uc9c0\uac11\uc8fc\uc18c_\ubc0f_\uac70\ub798\ubc88\ud638.doc and \ube44\ud2b8\ucf54\uc778 \uac70\ub798\ub0b4\uc5ed.xls which were involved in crypto currency targeting. Furthermore, one of the implants communicates to an IP address that was involved in hosting malicious job description documents in 2017 involving the Sikorsky military program.<\/p>\n

                                              McAfee Advanced Threat research determines with confidence that Lazarus is the threat group behind this attack for the following reasons:<\/p>\n

                                                \n
                                              • Contacts an IP address \/ domain that was used to host a malicious document from a Lazarus previous campaign in 2017<\/li>\n
                                              • Same author appeared in these recent malicious documents that also appeared back in Lazarus 2017 campaigns<\/li>\n
                                              • Uses the same malicious document structure and similar job recruitment ads as what we observed in past Lazarus campaigns<\/li>\n
                                              • The techniques, tactics and procedures align with Lazarus group\u2019s interest in crypto currency theft<\/li>\n<\/ul>\n

                                                Conclusion<\/strong><\/h3>\n

                                                In this latest discovery by McAfee ATR, despite a short pause in similar operations, the Lazarus group targets crypto currency and financial organizations. Furthermore, we have observed an increased usage of limited data gathering modules to quickly identify targets for further attacks. This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans.<\/p>\n

                                                \u00a0<\/em>Indicators of Compromise<\/strong><\/h2>\n

                                                MITRE ATT&CK techniques<\/strong><\/h4>\n
                                                  \n
                                                • Data encoding<\/li>\n
                                                • Data encrypted<\/li>\n
                                                • Command-Line Interface<\/li>\n
                                                • Account discovery<\/li>\n
                                                • Process Discovery<\/li>\n
                                                • Query registry<\/li>\n
                                                • Hidden files and directories<\/li>\n
                                                • Custom cryptographic protocol<\/li>\n
                                                • Registry Run Keys \/ Start Folder<\/li>\n
                                                • Startup Items<\/li>\n
                                                • Commonly used port<\/li>\n
                                                • Exfiltration Over Command and Control Channel<\/li>\n<\/ul>\n

                                                  IPs<\/strong><\/h4>\n
                                                    \n
                                                  • 210.122.7.129<\/li>\n
                                                  • 70.42.52.80<\/li>\n
                                                  • 221.164.168.185<\/li>\n<\/ul>\n

                                                    URLs<\/strong><\/h4>\n
                                                      \n
                                                    • hxxps:\/\/dl.dropboxusercontent.com\/content_link\/AKqkZsJRuxz5VkEgcguqNE7Th3iscMsSYvivwzAYuTZQWDBLsbUb7yBdbW2lHos\/file?dl=1<\/li>\n
                                                    • hxxps:\/\/www.dropbox.com\/s\/q7w33sbdil0i1w5\/job description.doc?dl=1<\/li>\n<\/ul>\n

                                                      Hashes<\/strong><\/h4>\n
                                                        \n
                                                      • dc06b737ce6ada23b4d179d81dc7d910a7dbfdde<\/li>\n
                                                      • a79488b114f57bd3d8a7fa29e7647e2281ce21f6<\/li>\n
                                                      • 7e70793c1ca82006775a0cac2bd75cc9ada37d7c<\/li>\n
                                                      • 535f212b320df049ae8b8ebe0a4f93e3bd25ed79<\/li>\n
                                                      • 1dd8eba55b16b90f7e8055edca6f4957efb3e1cd<\/li>\n
                                                      • afb2595ce1ecf0fdb9631752e32f0e32be3d51bb<\/li>\n
                                                      • e8faa68daf62fbe2e10b3bac775cce5a3bb2999e<\/li>\n<\/ul>\n

                                                        McAfee Detection<\/strong><\/h4>\n
                                                          \n
                                                        • BackDoor-FDRO!<\/li>\n
                                                        • Trojan-FPCQ!<\/li>\n
                                                        • RDN\/Generic Downloader.x<\/li>\n
                                                        • RDN\/Generic Dropper<\/li>\n
                                                        • RDN\/Generic.dx<\/li>\n<\/ul>\n

                                                          \"\"<\/p>\n","protected":false},"excerpt":{"rendered":"

                                                          McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact.<\/p>\n","protected":false},"author":911,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[5526,5219,4452,4749,5394],"coauthors":[2544],"class_list":["post-84373","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-advanced-threat-research","tag-bitcoin","tag-cybersecurity","tag-financial-services","tag-lazarus"],"acf":[],"yoast_head":"\nLazarus Resurfaces, Targets Global Banks and Bitcoin Users | McAfee Blog<\/title>\n<meta name=\"description\" content=\"McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Lazarus Resurfaces, Targets Global Banks and Bitcoin Users | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2018-02-12T15:30:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-03T01:43:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/02\/Lazarus.png\" \/>\n\t<meta property=\"og:image:width\" content=\"387\" \/>\n\t<meta property=\"og:image:height\" content=\"316\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Ryan Sherstobitoff\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@r_sherstobitoff\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ryan Sherstobitoff\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/\"},\"author\":{\"name\":\"Ryan Sherstobitoff\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/8f80835dde8294e9c91e4cd0f998e035\"},\"headline\":\"Lazarus Resurfaces, Targets Global Banks and Bitcoin Users\",\"datePublished\":\"2018-02-12T15:30:32+00:00\",\"dateModified\":\"2025-06-03T01:43:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/\"},\"wordCount\":2393,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/02\/Lazarus.png\",\"keywords\":[\"Advanced Threat Research\",\"Bitcoin\",\"cybersecurity\",\"financial services\",\"Lazarus\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/\",\"name\":\"Lazarus Resurfaces, Targets Global Banks and Bitcoin Users | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/02\/Lazarus.png\",\"datePublished\":\"2018-02-12T15:30:32+00:00\",\"dateModified\":\"2025-06-03T01:43:12+00:00\",\"description\":\"McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/02\/Lazarus.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/02\/Lazarus.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Lazarus Resurfaces, Targets Global Banks and Bitcoin Users\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/8f80835dde8294e9c91e4cd0f998e035\",\"name\":\"Ryan Sherstobitoff\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/b9bc99b6021883cbf5794b450795dc55\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/07\/Ryan-150x150.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/07\/Ryan-150x150.jpg\",\"caption\":\"Ryan Sherstobitoff\"},\"description\":\"Ryan Sherstobitoff is a Senior Analyst for Major Campaigns \u2013 Advanced Threat Research in McAfee. Ryan specializes in threat intelligence in the Asia Pacific Region where he conducts cutting edge research into new adversarial techniques and adapts those to better monitor the threat landscape. He formerly was the Chief Corporate Evangelist at Panda Security, where he managed the US strategic response for new and emerging threats. Ryan is widely recognized as a security & cloud computing expert throughout the country.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/ryan-sherstobitoff-a1334a5\/\",\"https:\/\/x.com\/r_sherstobitoff\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/ryan-sherstobitoff\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Lazarus Resurfaces, Targets Global Banks and Bitcoin Users | McAfee Blog","description":"McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Lazarus Resurfaces, Targets Global Banks and Bitcoin Users | McAfee Blog","og_description":"McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2018-02-12T15:30:32+00:00","article_modified_time":"2025-06-03T01:43:12+00:00","og_image":[{"width":387,"height":316,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/02\/Lazarus.png","type":"image\/png"}],"author":"Ryan Sherstobitoff","twitter_card":"summary_large_image","twitter_creator":"@r_sherstobitoff","twitter_site":"@McAfee","twitter_misc":{"Written by":"Ryan Sherstobitoff","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/"},"author":{"name":"Ryan Sherstobitoff","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/8f80835dde8294e9c91e4cd0f998e035"},"headline":"Lazarus Resurfaces, Targets Global Banks and Bitcoin Users","datePublished":"2018-02-12T15:30:32+00:00","dateModified":"2025-06-03T01:43:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/"},"wordCount":2393,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/02\/Lazarus.png","keywords":["Advanced Threat Research","Bitcoin","cybersecurity","financial services","Lazarus"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/","name":"Lazarus Resurfaces, Targets Global Banks and Bitcoin Users | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/02\/Lazarus.png","datePublished":"2018-02-12T15:30:32+00:00","dateModified":"2025-06-03T01:43:12+00:00","description":"McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/02\/Lazarus.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/02\/Lazarus.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lazarus-resurfaces-targets-global-banks-bitcoin-users\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Lazarus Resurfaces, Targets Global Banks and Bitcoin Users"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/8f80835dde8294e9c91e4cd0f998e035","name":"Ryan Sherstobitoff","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/b9bc99b6021883cbf5794b450795dc55","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/07\/Ryan-150x150.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/07\/Ryan-150x150.jpg","caption":"Ryan Sherstobitoff"},"description":"Ryan Sherstobitoff is a Senior Analyst for Major Campaigns \u2013 Advanced Threat Research in McAfee. Ryan specializes in threat intelligence in the Asia Pacific Region where he conducts cutting edge research into new adversarial techniques and adapts those to better monitor the threat landscape. He formerly was the Chief Corporate Evangelist at Panda Security, where he managed the US strategic response for new and emerging threats. Ryan is widely recognized as a security & cloud computing expert throughout the country.","sameAs":["https:\/\/www.linkedin.com\/in\/ryan-sherstobitoff-a1334a5\/","https:\/\/x.com\/r_sherstobitoff"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/ryan-sherstobitoff\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/84373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/911"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=84373"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/84373\/revisions"}],"predecessor-version":[{"id":214915,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/84373\/revisions\/214915"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=84373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=84373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=84373"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=84373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}