Lazarus’ latest tactics: Deceptive development and ClickFix
Contents
Lazarus’ latest tactics: Deceptive development and ClickFix
While conducting routine clipboard monitoring, our team uncovered a sophisticated attack chain masquerading as an official NVIDIA-related update. What initially appeared to be a hiring assessment challenge quickly revealed itself to be a cleverly disguised lure.
The deceptive journey
The attack begins with a prompt to complete a mock interview form, followed by a page instructing users to set up their camera. This page falsely claims there are issues with the user's webcam or microphone, adding a layer of urgency and credibility to the ruse.
A pop-up then urges users to “Request camera access,” which triggers a seemingly legitimate update command using an NVIDIA domain, to help the user fix his issues.
However, once copied, the command morphs into a malicious payload.
The attack chain
Executing the command initiates a multi-stage attack:
- A malicious archive is downloaded and automatically extracted.
- The VBS script launches a Python environment embedded within the …
While conducting routine clipboard monitoring, our team uncovered a sophisticated attack chain masquerading as an official NVIDIA-related update. What initially appeared to be a hiring assessment challenge quickly revealed itself to be a cleverly disguised lure.
The deceptive journey
The attack begins with a prompt to complete a mock interview form, followed by a page instructing users to set up their camera. This page falsely claims there are issues with the user's webcam or microphone, adding a layer of urgency and credibility to the ruse.
A pop-up then urges users to “Request camera access,” which triggers a seemingly legitimate update command using an NVIDIA domain, to help the user fix his issues.
However, once copied, the command morphs into a malicious payload.
The attack chain
Executing the command initiates a multi-stage attack:
- A malicious archive is downloaded and automatically extracted.
- The VBS script launches a Python environment embedded within the …
IoC
http://hxxps://assessdome.com/invite/7e462f3c/8002565804
http://metakenproxy.com:81
36541fad68e79cdedb965b1afcdc45385646611aa72903ddbe9d4d064d7bffb9
00bef70cd031a830f2ee1ec4ce750947a9c8838995289ecbb253426cca53d046
9757780860ec5637c412a8756f25c56f7d1d89358e447782164ba418def1c64e
7013822c0a794712c5fe8f62c126e5992dca4a744882a039040569ae4ec1a868
bc7bd27e94e24a301edb3d3e7fad982225ac59430fc476bda4e1459faa1c1647
03ad194456951695eb4d4ceb40d9e52aaadbc9a4f4b8b1d020077115103e5359
http://metakenproxy.com:81
36541fad68e79cdedb965b1afcdc45385646611aa72903ddbe9d4d064d7bffb9
00bef70cd031a830f2ee1ec4ce750947a9c8838995289ecbb253426cca53d046
9757780860ec5637c412a8756f25c56f7d1d89358e447782164ba418def1c64e
7013822c0a794712c5fe8f62c126e5992dca4a744882a039040569ae4ec1a868
bc7bd27e94e24a301edb3d3e7fad982225ac59430fc476bda4e1459faa1c1647
03ad194456951695eb4d4ceb40d9e52aaadbc9a4f4b8b1d020077115103e5359