Why it matters: Malwarebytes' Threat Intelligence Team has issued a new warning to users regarding a recently identified threat from the North Korean hacking group Lazarus. The attack uses fake documents with embedded macros designed to resemble Lockheed Martin employment information. Once the macro is executed, the exploit uses Windows Update and GitHub to deliver payloads and infect unsuspecting users.
The state-sponsored organization, already suspected in past attacks such as WannaCry and numerous attacks against U.S media outlets, was discovered using Windows Update to deliver malicious payloads while using GitHub as a primary command and control (C2) server. The attacks loosely followed the group's earlier dream job campaign, which targeted organizations as well as specific individuals in the defense, aerospace, and civilian government contracting sectors.
The spear phishing attack used two decoy MS Word documents with embedded macros (Lockheed_Martin_JobOpportunities.docx and Salary_Lockheed_Martin_job_opportunities_confidential.doc) that were designed to appear as valid Lockheed Martin job announcement information. Once the malicious macros are executed by an unsuspecting user, the malware package completes a series of injections on the target system to ensure persistence across target machine startups.
This could be related to #Lazarus #APT--- Jazi (@h2jazi) January 18, 2022
- Contains macro (Frame1_Layout)
- Drops a lnk file in startup directory (WindowsUpdateConf.lnk)
- Creates a hidden Windows/System32 directory and drops wuaueng.dll (Though the dll looks benign)
- The lnk uses wuauclt.exe for execution pic.twitter.com/KmOz9m5gEr
A complete description of the attack process, as well as an in-depth discussion of the individual components making up the attack, are available on the Malwarebytes Lab Threat Intelligence Team's blog. Malwarebytes researchers and security engineers attributed the attack to Lazarus based on similarities to past attacks by the North Korean organization, such as:
- Well-designed fraudulent job opportunity documents branded with icons for defense contractors such as Lockheed Martin, Northrop Grumman, and Boeing
- Specific targeting of job seekers in the defense and aerospace sectors
- Similarities in metadata that link the recent spear phishing campaign with similar past campaigns
An April 2020 Cyber Threat Advisory was released by the DHS Cybersecurity and Infrastructure Security Agency (CISA) to provide formal guidance regarding North Korea's cyber activity. The State Department's Rewards for Justice (RFJ) program also provides guidance on what types of information and activity should be reported. Qualifying tips that disrupt any actions against the U.S. government are eligible for rewards of up to $5 million dollars.