The Lazarus hacking group is one of North Korea’s top cybersecurity threats, recently coming to the attention of the US government for massive cryptocurrency heists.
Today, NCCGroup researchers rounded up some of the tools and techniques the Lazarus hackers have used recently, including social engineering on LinkedIn, messaging US defense contractors on WhatsApp, and installing the LCPDot malicious downloader.
NCCGroup’s conclusions build on what is already known about the Lazarus hackers. The group and its subgroups are known to have used LinkedIn to trick targets into installing malicious files such as Word documents with hidden macros.
TO SEE: Google: Several hacking groups are using the war in Ukraine as a decoy in phishing attempts
In February, Qualys researchers discovered that the group was posing as defense contractor Lockheed Martin, using its name as a decoy for job opportunities in intertwined Word documents. The documents contained malicious macros to install malware and relied on scheduled tasks to persist on a system.
Lazarus has historically used LinkedIn as its preferred social network to contact professionals with job openings. In 2020, F-Secure researchers discovered that the group was trying to recruit a sysadmin with a phishing document sent to the target’s LinkedIn account about a blockchain company looking for a new sysadmin.
In April, the US Treasury linked Lazarus to a $600 million March heist on the blockchain network behind play-to-earn game Axie Finity.
In the same month, the FBI, the Cybersecurity and Infrastructure Security Agency and the Treasury warned that Lazarus was currently focusing on exchanges in the blockchain and cryptocurrency industry, using spear phishing campaigns and malware to steal cryptocurrency.
NCCGroup found that the recent use of fake Lockheed Martin profiles to share job postings with targets relied on material hosted on a domain that attempted to mimic that of a US-based recruitment site for government and defense vacancies.
To circumvent Microsoft’s recent efforts to restrict the use of macros in Office documents, the website hosted a ZIP file containing the malicious document which was used to connect to the Lazarus command and control server.
“In order to circumvent security checks in Microsoft’s recent changes to Office macros, the website hosted a ZIP file containing the malicious document,” NCCGroup noted.
In April, Microsoft introduced a new Office default behavior that blocks VBA macros obtained from the Internet in documents on devices running Windows. A security expert called it a “game changer” due to the prevalence of macro malware.
TO SEE: The Emotet botnet is back with new tricks to spread malware
NCCGroup also obtained a sample of the Lazarus variant from LCPDot, a downloader recently analyzed by Japan CERT, which attributed it to Lazarus.
After registering a compromised host with the command and control server, the downloader receives another payload, decrypts it, and then loads it into memory.
NCCGroup lists several domains that would indicate an organization has been compromised by hackers.
In March, Google detailed a wide-ranging campaign by Lazarus-linked groups targeting hundreds of people in the media and tech sectors with job postings in emails posing as recruiters from Disney, Google and Oracle. Blockchain analytics firm Chainalysis estimated that North Korean hackers stole $400 million worth of cryptocurrency in 2021.