LAZARUS CAMPAIGNS AND BACKDOORS IN 2022-23
Contents
2023
LONDON
4 - 6 October, 2023 / London, United Kingdom
LAZARUS CAMPAIGNS AND BACKDOORS IN 2022-23
Peter Kálnai
ESET, Czechia
[email protected]
www.virusbulletin.com
LAZARUS CAMPAIGNS AND BACKDOORS IN 2022-23 KÁLNAI
ABSTRACT
The Lazarus group is an infamous North Korea-aligned threat actor that has been active since at least 2009. There are
various types of campaigns attributed to Lazarus, based on toolset similarities, shared infrastructure, telemetry, or the cui
bono principle, and we have been discovering many of these campaigns for years. In this paper we will discuss the group’s
recent attacks, or attempts, from the years 2022 and 2023, several of which have not previously been publicly disclosed.
These include: decoy programming challenges against a Spanish aerospace company delivering a highly sophisticated
RAT; Coinbase‑themed decoys with both Windows and macOS payloads targeting individuals in South America; attempts
to compromise banking entities in the United States and Tanzania via fake Signature Bank- and MUFG-themed job offers;
an OpenSSL-based backdoor discovered in an agriculture-related entity in South Korea; …
LONDON
4 - 6 October, 2023 / London, United Kingdom
LAZARUS CAMPAIGNS AND BACKDOORS IN 2022-23
Peter Kálnai
ESET, Czechia
[email protected]
www.virusbulletin.com
LAZARUS CAMPAIGNS AND BACKDOORS IN 2022-23 KÁLNAI
ABSTRACT
The Lazarus group is an infamous North Korea-aligned threat actor that has been active since at least 2009. There are
various types of campaigns attributed to Lazarus, based on toolset similarities, shared infrastructure, telemetry, or the cui
bono principle, and we have been discovering many of these campaigns for years. In this paper we will discuss the group’s
recent attacks, or attempts, from the years 2022 and 2023, several of which have not previously been publicly disclosed.
These include: decoy programming challenges against a Spanish aerospace company delivering a highly sophisticated
RAT; Coinbase‑themed decoys with both Windows and macOS payloads targeting individuals in South America; attempts
to compromise banking entities in the United States and Tanzania via fake Signature Bank- and MUFG-themed job offers;
an OpenSSL-based backdoor discovered in an agriculture-related entity in South Korea; …
IoC
[email protected]
[email protected]
[email protected]
[email protected]
http://cloud.mekongcapital.
http://cloudfly.org
http://concrecapital.com
http://cryptyk.ddns.net
http://dailynewsagent.com
http://datacentre.center
http://designautocad.org
http://designlabshop.com
http://doc.filesaves.cloud
http://doc.gdocshare.one
http://docs.azurehosting.co
http://dps.shconstmarket.com
http://freewaremail.com
http://gmail.com
http://icloud.com
http://lm-career.com
http://markettrendingcenter.com
http://protonmail.com
http://safe.doc-share.cloud
http://shopapppro.com
http://shopwebstudio.com
http://techdesignshop.com
http://timecashlive.com
http://topnewsagent.com
http://verify.azure-protect.
http://webhosttech.org
http://word.azure-company.
http://www.googlesheet.info
http://www.tradingtechnologies.com
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
http://cloud.mekongcapital.
http://cloudfly.org
http://concrecapital.com
http://cryptyk.ddns.net
http://dailynewsagent.com
http://datacentre.center
http://designautocad.org
http://designlabshop.com
http://doc.filesaves.cloud
http://doc.gdocshare.one
http://docs.azurehosting.co
http://dps.shconstmarket.com
http://freewaremail.com
http://gmail.com
http://icloud.com
http://lm-career.com
http://markettrendingcenter.com
http://protonmail.com
http://safe.doc-share.cloud
http://shopapppro.com
http://shopwebstudio.com
http://techdesignshop.com
http://timecashlive.com
http://topnewsagent.com
http://verify.azure-protect.
http://webhosttech.org
http://word.azure-company.
http://www.googlesheet.info
http://www.tradingtechnologies.com
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]