New Insights on Highly-targeted Operation North Star Campaign

Additional yet unique insights

• The campaign is conducted with secondary payloads known as Torisma and Doris, designed to remain hidden on compromised systems and stealthily monitor its victims for continued exploitation.
• In addition, the threat group compromised and used genuine domains to conduct C2 operations, all the while minimizing the risk of detection and discovery.
• The group has used political and job recruiting lures to launch attacks on IP-addresses belonging to ISPs in Australia, Israel, and Russia, and defense contractors based in India and Russia.

Earlier detection

• According to a July report, the researchers have attributed the cyber espionage campaign to a North Korean hacking group known as Hidden Cobra aka Lazarus APT group. 
• The group had been using legitimate job recruitment content from popular U.S. defense contractor websites to trick unwitting victims into opening documents laden with malware.

Recent attacks by Hidden Cobra

• In September, Hidden Cobra hackers were seen using a Python tool SMBMAP to infect and leverage a Japanese organization’s account information.
• In August, the threat actors had used a malware called FASTCASH for Windows to target banking payment systems using DLL injection and man-in-the-middle techniques.

Endnotes