Amid operations sending malicious documentation to work-seekers, the renowned group Lazarus advanced persistent threat (APT) has been identified. In this case, defense companies are searching for jobs.
As per a paper published online by AT&T Alien Labs, researchers monitored the activity of Lazarus for months with technical targets in the United States and Europe.
According to the creator of the report, Fernando Martinez, emails from prominent defense contractors Airbus, General Motors (GM), and Rheinmetall have been sent to potential engineering recruits by the APT purport.
Word documents with macros that implant malicious code in a victim's PC are included in the emails to prevent detection by changing the target computer settings.
“The core techniques for the three malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros,” Martinez wrote.
Lazarus's operation is the newest thing that targets the field of defense. In February, scientists attributed a 2020 spear-phishing campaign to the APT aiming to acquire key data by using advancing malware named ThreatNeedle from defense organizations.
Indeed, with Microsoft Office Macros being used and third-party communications infrastructures being jeopardized, Lazarus is written all over the latest attacks that remain 'in line with the earlier Lazarus campaigns' as Martinez said.
“Attack lures, potentially targeting engineering professionals in government organizations, showcase the importance of tracking Lazarus and their evolution,” he wrote. “We continue to see Lazarus using the same tactic, techniques, and procedures that we have observed in the past.”
Researchers from AT&T Alien Labs have already seen Lazarus' activities, trying to attract victims to false Boeing and BAE systems jobs. Martinez noted that Twitter users were warned of the current campaign as Twitter users identified various papers related to Lazarus by Rheinmetall, GM, and Airbus from May to June this year.
Researchers have discovered that campaigns using the three new documents are comparable in communicating with the command and control but that they can do malicious activities in distinct ways. Lazarus has circulated two malicious documents related to the German defense and automotive industry engineering firm Rheinmetall. The second had "more elaborate content," which made it possible for victims to remain unnoticed, noted Martinez.
One of the distinctive aspects of the macro in the original malicious document is to rename the Microsoft Docs command-line software Certutil to try and disguise its actions.
“The macro executes the mentioned payload with an updated technique,” Martinez wrote. “The attackers are no longer using Mavinject, but directly executing the payload with explorer.exe, significantly modifying the resulting execution tree.”
Owing to Lazarus' historically prolific behavior – called the "most active" threat group in 2020 by Kaspersky— the recent attack on technicians "is not expected to be the last," Martinez said.
Attack tactics that may target technical experts in governmental organizations illustrate the relevance of Lazarus tracking and its progression, Martinez added.
