North Korean APT group Lazarus is making headlines again. This time the threat actor is operating a campaign impersonating renowned defense contractors and targeting job seekers and engineering professionals in government organizations.

What was observed?

According to a report by AT&T Alien Labs, the activity has been going on for several months, in which the attackers have been targeting victims in the U.S. and Europe.
  • Attackers were observed sending emails to prospective candidates, posing themselves as globally recognized defense contractors General Motors, Airbus, and Rheinmetall.
  • The email carries Windows documents with embedded macro-based malware that is designed specifically for this campaign and customized for each target.
  • Besides using malicious Microsoft Office documents, the attackers leveraged compromised third-party infrastructure for their communications, in a similar manner as their past attacks.

Additional insights

In this latest campaign, the key technique used for creating the malicious document remained the same. The attackers made full use of obfuscation techniques to reduce detections.
  • In a few of the documents, the macros would (upon execution) try to rename the command-line utility program Certutil to hide its activities. The emails purporting to be from Rheinmetall and Airbus used this tactic while sharing similar C&C communications tactics.
  • In the Rheinmetall document lures, the final payload was Mavinject.exe, a legitimate Windows component used for arbitrary code injections.
  • In the case of the Airbus document, when the payload is executed, the macro code waits for three seconds and creates a .inf file, sends a beacon to the C&C with the execution status, and deletes all temporary files to eliminate its footprints.

Concluding notes

A few months ago, Lazarus was observed running a similar campaign, when it was using the ThreatNeedle malware to target the defense industry. In its latest campaign, the group continues to use several traits similar to its past attacks, including the use of malicious macros embedded inside documents. However, gradual improvements in the obfuscation techniques, as well as the ability to hide its tracks by deleting all footprints, indicate that this threat group is still making efforts to make its attacks more efficient. Therefore, it is important for security agencies to keep a strict eye on Lazarus.

Cyware Publisher