Updated on 2022-12-29
K7 has a report out on recent Lazarus APT operations, namely, one baiting users with job vacancies at Coinbase that try to infect victims with macOS malware. Read more: Lazarus APT’s Operation Interception Uses Signed Binary
Updated on 2022-12-26
The Lazarus threat group is linked to a massive phishing campaign that targeted NFT investors. The attackers had used around 500 phishing domains to dupe victims. Read more: SlowMist: Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users
🚨SlowMist Security Alert🚨
North Korean APT group targeting NFT users with large-scale phishing campaign
This is just the tip of the iceberg. Our thread only covers a fraction of what we've discovered.
Let's dive in pic.twitter.com/DeHq1TTrrN
— SlowMist (@SlowMist_Team) December 24, 2022
Updated on 2022-12-06
Volexity observed a new campaign by the North Korean Lazarus APT group, which propagates fake cryptocurrency apps—under the fake brand name BloxHolder—to deploy the AppleJeus malware. Read more: Lazarus APT uses fake cryptocurrency apps to spread AppleJeus Malware
Updated on 2022-12-05: Lazarus AppleJeus campaign
Volexity researchers have spotted a fake cryptocurrency application that installs a version of AppleJeus, a malware strain previously associated with the Lazarus North Korean hacking group. Volexity says the malware used a novel DLL side-loading technique to infect targets, a technique that was later also spotted as part of a Lazarus spear-phishing campaign as well. Read more: ₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
Updated on 2022-12-04: More Lazarus
More on another Lazarus campaign, this time targeting South Korea with malicious LNK files. Read more:
외교안보 학술회의 토론 주제 사칭한 北 연계 해킹 공격 주의!
Updated on 2022-11-29
QiAnXin also has a report on Lazarus attacks targeting Japan. Read more: 求职陷阱:Lazarus组织以日本瑞穗銀行等招聘信息为诱饵的攻击活动分析
Updated on 2022-11-25: ZINC/Lazarus
Avertium has a detailed rundown of all the TTPs employed by ZINC, a North Korean APT, also known as the Lazarus Group. Read more: AN IN-DEPTH LOOK AT THE NORTH KOREAN THREAT ACTOR, ZINC
Updated on 2022-11-15: Lazarus DTrack
Kaspersky has a new report out on how the Lazarus Group has used the DTrack backdoor over the past few years since its initial discovery in 2019. Read more: DTrack activity targeting Europe and Latin America
“The DTrack backdoor continues to be used actively by the Lazarus group. Modifications in the way the malware is packed show that Lazarus still sees DTrack as an important asset. Despite this, Lazarus has not changed the backdoor much since 2019, when it was initially discovered. When the victimology is analyzed, it becomes clear that operations have expanded to Europe and Latin America, a trend we’re seeing more and more often.”
Updated on 2022-11-14
Lazarus APT group has been found using the DTrack backdoor to target education, IT, chemical manufacturing, telecoms, utility, and government industries in Latin America and Europe. Read more: DTrack activity targeting Europe and Latin America
Updated on 2022-11-04: Lazarus attacks on South Korea
Researchers from Chinese security firm Antiy have a report out on a series of Lazarus APT attacks against South Korean organizations. AhnLab has one too. Read more:
- 疑似Lazarus组织针对韩国的攻击活动分析
- A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique
Updated on 2022-10-17: Japan warning
The Japanese National Police Agency published a public advisory last week, warning that Lazarus, a group of North Korean state-sponsored hackers, sent multiple phishing emails to the employees of Japanese-based cryptocurrency companies in the hopes of infecting their systems and stealing funds. Read more: Authorities name North Korea hacker group, warn of attacks on Japanese crypto assets
Updated on 2022-10-04: Lazarus Hacker Group Targets MacOS Users Through Crypto Jobs
North Korean hackers the Lazarus Group are now targeting Apple macOS users with fake and unsolicited crypto job ads containing malware, which then attacks its victims. The group’s phishing campaign reportedly only targets Mac users, so far… Other victims have been contacted with job offers on LinkedIn. Read More: Lazarus Hacker Group Targets MacOS Users Through Crypto Jobs
Updated on 2022-10-03: North Korea-linked Hackers Exploited a Dell Firmware Driver Vulnerability to Install Rootkit
Researchers from ESET have observed cyberthreat actors with links to North Korea exploiting a known vulnerability in a Dell firmware driver to install a Windows rootkit. The campaign took place last autumn; the attackers sent targets phony job offers to a political journalist in Belgium and an aerospace company employee in the Netherlands. The goal of the campaign appears to have been data exfiltration.
Note
- While the intended targets so far have been small, it’s not hard to take mitigation steps regardless of being targeted. Dell provided updates to the DBUtil drivers in May of 2021. Make sure that you’ve deployed them.
Read more in
- Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
- Lazarus Group Exploited Dell Driver Flaw to Disable Windows Monitoring Features
- Hackers Exploiting Dell Driver Vulnerability to Deploy Rootkit on Targeted Computers
- Lazarus hackers abuse Dell driver bug using new FudModule rootkit
- DSA-2021-088: Dell Client Platform Security Update for an Insufficient Access Control Vulnerability in the Dell dbutil Driver
Updated on 2022-10-03: Lazarus campaign in NE/BE
ESET published a report on Friday about an Amazon-themed spear-phishing campaign carried out by the Lazarus North Korean APT against targets in Belgium and the Netherlands during the fall of 2021. Confirmed targets of these attacks include an employee of an aerospace company in the Netherlands and a political journalist in Belgium. Lazarus used their tried-and-tested BYOVD (Bring Your Own Vulnerable Driver) technique to elevate privileges on the attacked machine and install the BLINDINGCAN backdoor. In this case, ESET said Lazarus exploited a vulnerability in a Dell driver. Read more:
- Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
- Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD
Lazarus hackers were seen carrying out a spearphishing campaign wherein it installs a Windows rootkit to abuse a Dell hardware driver in a Bring Your Own Vulnerable Driver attack. Read more: Lazarus hackers abuse Dell driver bug using new FudModule rootkit
Updated on 2022-09-27
In its latest campaign, the Lazarus APT group was observed leveraging unsolicited job opportunities to drop malware on macOS. These fake ads are part of its Operation In(ter)caption campaign. Read more: North Korea’s Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs
Updated on 2022-09-23: Lazarus BYOVD attacks
AhnLab researchers have published an extensive report on BYOVD (Bring Your Own Vulnerable Driver) attacks employed by the Lazarus North Korean APT. The company notes that while these attacks have been seen since 2014, Lazarus is the first APT to have designed an elaborate rootkit that takes advantage of BYOVD techniques to elevate privileges and compromise all major Windows versions from the old Windows 7 up to the most recent OS version, Windows Server 2022. Read more: Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD
Updated on 2022-09-22: New Lazarus attack
In the meantime, Chinese security researcher Hao Zhixiang said this week that he detected a new phishing campaign linked to the Lazarus group that has targeted virtual currency company Maitixport. IOCs in the Twitter thread below:
https://twitter.com/HaoZhixiang/status/1572434427942432772
The North Korean state-sponsored hacking group known as Lazarus has launched a campaign to steal sensitive information from computer networks of energy providers in the US, Canada, and Japan. Researchers from Cisco Talos say the hackers are exploiting Log4j vulnerabilities in VMware Horizon servers to access the targeted networks.
Note
- What is new is that a new implant “MagicRAT” is being deployed three days before the deployment of their previously known VSingle malware. The entry point remains vulnerable services, such as unpatched VMWare Horizon servers vulnerable to Log4Shell, which have, in this case, patches for the flaw. Yes, it’s a bummer getting downtime to patch these services, but it’s far better than the dust-up if you’re compromised. Yes, your internal network is safer than Internet exposed services, and it’s too risky to assume hackers can’t penetrate your perimeter. Core capabilities in the Lazarus toolkit include disabling endpoint protection and other mitigations you’ve deployed to detect and prevent compromise.
Updated on 2022-09-15: Lazarus APT deploying three trojans in attacks against users in North America
Description: Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold in targeted organizations. Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan. The campaign is meant to infiltrate organizations around the world for establishing long-term access and subsequently exfiltrating data of interest to the adversary’s nation-state. Talos has discovered the use of two known families of malware in these intrusions — VSingle and YamaBot. Talos has also discovered the use of a recently disclosed implant we’re calling “MagicRAT” in this campaign.
Read more in
- Lazarus and the tale of three RATs
- MagicRAT: Lazarus’ latest gateway into victim networks
- Lazarus Group unleashed a MagicRAT to spy on energy providers
- North Korean Lazarus hackers take aim at U.S. energy providers
Axie Recovery
The US has recovered $30 million stolen from Axie Infinity by North Korea’s Lazarus group. Leveraging blockchain analysis expertise by Chainanalasis and the FBI, law enforcement groups were able to seize funds after cashout (not from the blockchain itself). This is yet another reminder that the blockchain doesn’t just leave crumbs—it’s a crumb-leaving technology—and criminals are often vulnerable at the cashout step. Read more: US recovers $30 million stolen from Axie Infinity by Lazarus hackers
Overview: Lazarus Group starts using new MagicRAT in attacks targeting vulnerable VMware Horizon platforms
Cisco Talos discovered a new remote access trojan (RAT) named “MagicRAT” that Talos attributed with moderate to high confidence to the Lazarus threat actor, a state-sponsored APT attributed to North Korea by the U.S. Cyber Security & Infrastructure Agency (CISA). This new RAT was found on victims that had been initially compromised through the exploitation of publicly exposed VMware Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely. Talos also found evidence to suggest that once MagicRAT is deployed on infected systems, it launches additional payloads such as custom-built port scanners. Additionally, we’ve found that MagicRAT’s C2 infrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT. The discovery of MagicRAT in the wild is an indication of Lazarus’ motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide.
Read more in
