The controversial Lazarus Group actor was also seen launching a new operation that leverages the Windows Update service to deliver its malicious program, adding to the APT Group’s arsenal of LotL: life-out-of-the-land tactics.
The North Korean nation-state hacking outfit identified as the Lazarus Group, also known as APT38, Whois Hacking Team, Hidden Cobra, and Zinc, has already been operating since 2009. This threat actor was tied to a sophisticated social engineering campaign at security experts last year.
The newest spear-phishing attempts, discovered by Malwarebytes dated January 18, are based on documents containing labour-themed decoys imitating Lockheed Martin, a US worldwide security and aerospace firm.
When you open the fake Microsoft Word file, it launches a dangerous macro in the document, which then launches Base64-decoded shellcode to insert several attack elements into the explorer.exe activity.
The linkages to the Lazarus Group, according to Malwarebytes, are associated with several bits of evidence, notably infrastructure overlaps, the usage of an activity model as well as document metadata. It’s his responsibility to figure out who his victims are.
There are several signs that the Lazarus threat actor carried out this attack.
Lazarus is designed to attack its targets through job openings as a pattern. This actor’s files are quite well designed, and the template includes a prominent icon for well-known corporations like Lockheed Martin, Boeing, BAE Systems, and Northrop Grumman.
The actor has chosen those looking for jobs at Lockheed Martin in this effort. This actor has a history of targeting the defence industry, notably Lockheed Martin.
The metadata used for this attempt connects the documents to numerous different documents utilized by this actor previously.
Lazarus APT is a well-known advanced APT outfit that targets the defence industry. To get beyond security measures, the gang continuously improves its toolkit.