A Quick Review of Lazarus APT Hackers' Newly Accumulated Tools
Lazarus (aka Hidden Kobra), the infamous North Korean APT group has been involved in various high-profile cyberattacks around the globe since 2009. To date, it is considered as one of the most active espionage groups.
- Most recently, the hacker group targeted Japanese organizations with the help of obfuscated malware and sophistication functionalities. Besides, the group has been targeting government, e-commerce, and cryptocurrency-based organizations.
- The attackers were spotted using VMProtect and SMBMAP Python tool, which allows access to the remote host via an SMB connection after converting it to a Windows Portable Executable (PE) file with Pyinstaller.
- In August 2020, the Lazarus group targeted an organization in the cryptocurrency vertical through LinkedIn job adverts.
- In the same month, the Lazarus group launched attacks against the Israeli defense industry.
- In July, the group was found involved in the interception of online payments from American and European shoppers.
New tools and tactics
In recent months, the group has been busy adding several new tricks and tactics to its arsenal. The group uses various attack methods such as zero-days, spear phishing, malware, misinformation, backdoors, and droppers.
- In mid-August, Lazarus was seen using a new strain of malware, dubbed BLINDINGCAN, for targeting the U.S. and foreign companies active in the military defense and aerospace sectors.
- The group used MATA malware to compromise a large number of e-commerce firms, software developers, and ISPs across Poland, Germany, Turkey, Korea, Japan, and India.
- Lazarus also equipped itself with digital skimming abilities, also known as Magecart attacks, to gain access to the store code of large retailers, such as Claire’s.
- The group was also found using BEC scams during Operation In(ter)ception that targeted victims for both cyberespionage and financial theft.
Activities by Lazarus have been reported by many different government agencies and organizations, and attacks were observed across multiple countries. With its adoption of legitimate tools in its attacks, the group's activities are becoming harder to defend against.