Lazarus, the well-known hacking group responsible for the WannaCry ransomware attack from last year, as well as the attack on the Bangladesh Central Bank and Sony, is now targeting global financial firms and Bitcoin adopters with a phishing campaign dubbed “HaoBao.”

The phishing campaign was discovered by McAfee Labs in mid-January. The way it works is that Lazarus distributes a Dropbox link in an email that looks like a job advertisement for executive level bank jobs. When the user opens the link, malware is implanted into the user’s system.

Lazarus attackers pose as job recruiters that send targeted spear-phishing emails to bank employees and executives with the link to a job opportunity. When the user opens the link, they are then requested to enable Visual Basic macros, that then allow the attackers to implant the malware. When the malware is enabled, the attackers are able to scan the user’s data to determine whether there is any Bitcoin activity and allow the attacker access for long-term data gathering.

It is believed that the malware is specifically looking to assist with stealing Bitcoin and other cryptocurrencies, but the malware can also gather the details of the user’s computer, including username and the processes running on the computer which can be used in future attacks.

The lure of a job opportunity is powerful ammunition to dupe unsuspecting bank employees to disregard usual security processes. Alerting employees to new scams such as HaoBao will continue to increase awareness and vigilance among our work force.