The Lazarus APT Group in North Korea again makes the headlines. This time, the threat actor runs a campaign that includes reputable defense contractors and targets job seekers and engineers in governmental organizations.
What transpired?
According to a study, this activity has lasted for several months, targeting the victims in the United States and Europe.
- Attackers have been seen emailing prospective recruits who are recognized globally, like General Motors, Airbus, and Rheinmetall among other defense contractors.
- This mail contains Windows documents that are exclusive to this campaign and are tailored for each recipient, with embedded macro-based malware.
- In addition to malicious material in Microsoft Office, the attackers used exploited third-party communications infrastructure in the same way as their previous attacks.
Some other Insights –
The key technique used to create the malicious document remained unchanged in this current campaign. In order to reduce detections, the attackers used obfuscation techniques to their full extent.
- The macros (when executed) in some documents would try to cover up their activities by renaming the command-line utility application, Certutil. The Rheinmetall and Airbus emails employed this technique while sharing C&C tactics in comparable ways.
- Mavinject.exe, a legitimate Windows component for arbitrary code injections, was the last payload in Rheinmetall document lures.
- In the instance of Airbus, the macro code will wait three seconds until the payload is carried out and generate a file called .inf, reports the execution status to the C&C beacon, and erase all temporary files in order to delete its footprints.
A few months ago, Lazarus carried out a similar campaign when it targeted the defense industry with the ThreatNeedle malware. The gang continues to use various features that resemble its previous attacks during its recent campaign as well. These include using malicious macros embedded in documents. However, progressive developments in the techniques for obfuscation and the capacity to disguise their tracks by removing all footprints show that the threat group continually strives to make their attacks more efficient. It is therefore vital to maintain a watchful eye on Lazarus by government security agencies and cybersecurity providers alike.
To read more, please check eScan Blog
