Posted on June 11, 2021 at 6:52 PM
Researchers have warned that the notorious distributed denial-of-service (DDoS) group known as the “Fancy Lazarus” is back, targeting several U.S. companies.
Researchers at Proofpoint also noted that the group is launching series of attacks that may be dangerous or ineffective.
The new name is a combination of two notorious Advanced Persistent Threat (APT) groups –North Korea’s Lazarus Group and Russia-lined Fancy Bear.
The last time the gang was seen, it was in a major campaign in October where it reportedly claimed to be various ATPs, including Lazarus group, Fancy Bear, and Armada Collective.
The group is demanding ransom
Proofpoint stated that in the group’s latest appearance, it has been sending emails to organizations, containing threats of attacks. The group operated in various sectors, including retail sectors, public utilities, manufacturing, insurance, financial, and the energy sector.
They are asking for a starting ransom of 2 Bitcoins from the targeted companies if they do not want to become victims of a devastating DDoS attack.
The hackers double the price to 4 BTC when the targets exceed the deadline. After that, it keeps increased by one BTC each day. Most of the targets are based in the U.S., according to the researchers.
The group does not entertain any negotiations as it threatens the targets with sample attacks to prove it means business.
Although it’s difficult to make any definitive connection, some of the high-profile ransomware attacks over the past few months correspond with Fancy Lazarus campaigns.
The group is notorious for targeting very critical industries, and this has been happening, with the Colonial Pipeline attack a perfect example.
Senior director of threat research and detection at Proofpoint, Sherrod DeGrippo, also noted the timing, saying the threat group could have a hand in the recent spate of attacks on American-based companies.
Attackers focused on large institutions
The Proofpoint researchers also noted that the threat actors are continuously targeting a particular set of companies in specific industries, with manufacturing, natural gas, and utility companies being the most targeted.
The researchers also noted that another trend noticed within the past few months is the attackers’ focus on sending the threats to large insurance providers and financial institutions.
The emails are either in embedded .JPG image, HTML-based, or presented in plain text, but they are mostly in .JPG, which is likely a detection-evasion method, according to Proofpoint.
The researchers also noted that the emails are usually delivered to well-researched recipients, such as individuals listed as contacts in Whois information for company networks or Border Gateway Protocol (BGP). The targeted individuals also work in places such as investor relations, external relations, and communications.
Also, extortion emails are delivered to email aliases such with the first name or last name convention for the ender, using fake names.
Proofpoint researchers say payment of the 2 BT is the only option the threat actors gave to avoid being a victim. However, the actual cost will depend on the value of the cryptocurrency at the time.
The hackers ended their email by adding that the targeted companies are not given any chance to negotiate and send replies to the email.
Targets have been advised to report the case to authorities
The threat actor also claimed to be behind the massive DDoS attack that disrupted New Zealand’s stock exchange in August 2020. However, there is no way to find out whether they are indeed responsible.
During the attack, an FBI alert noted that the group responsible has similar operational methods with a particular group discovered back in 2017. But there is still no way to pin the attack on a named threat actor.
The researchers have advised those who receive any message claiming to from “Fancy Lazarus” to report the issue to authorities and refuse to meet their ransom demands. Those who eventually pay the ransom do not have any guarantee that the threat actors won’t come back later with additional demands. Authorities have always advised users against paying the ransom because these are crooks and there is nothing trustworthy about them.