North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign
Contents
This blog was authored by Ankur Saini and Hossein Jazi
Lazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009. The group is responsible for many high profile attacks in the past and has gained worldwide attention. The Malwarebytes Threat Intelligence team is actively monitoring its activities and was able to spot a new campaign on Jan 18th 2022.
In this campaign, Lazarus conducted spear phishing attacks weaponized with malicious documents that use their known job opportunities theme. We identified two decoy documents masquerading as American global security and aerospace giant Lockheed Martin.
In this blog post, we provide technical analysis of this latest attack including a clever use of Windows Update to execute the malicious payload and GitHub as a command and control server. We have reported the rogue GitHub account for harmful content.
Analysis
The two macro-embedded documents seem to be luring the targets about new …
Lazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009. The group is responsible for many high profile attacks in the past and has gained worldwide attention. The Malwarebytes Threat Intelligence team is actively monitoring its activities and was able to spot a new campaign on Jan 18th 2022.
In this campaign, Lazarus conducted spear phishing attacks weaponized with malicious documents that use their known job opportunities theme. We identified two decoy documents masquerading as American global security and aerospace giant Lockheed Martin.
In this blog post, we provide technical analysis of this latest attack including a clever use of Windows Update to execute the malicious payload and GitHub as a command and control server. We have reported the rogue GitHub account for harmful content.
Analysis
The two macro-embedded documents seem to be luring the targets about new …
IoC
0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1
0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b
11b5944715da95e4a57ea54968439d955114088222fd2032d4e0282d12a58abb
4216f63870e2cdfe499d09fce9caa301f9546f60a69c4032cb5fb6d5ceb9af32
5098ec21c88e14d9039d232106560b3c87487b51b40d6fef28254c37e4865182
660e60cc1fd3e155017848a1f6befc4a335825a6ae04f3416b9b148ff156d143
829eceee720b0a3e505efbd3262c387b92abdf46183d51a50489e2b157dac3b1
9d18defe7390c59a1473f79a2407d072a3f365de9834b8d8be25f7e35a76d818
c677a79b853d3858f8c8b86ccd8c76ebbd1508cc9550f1da2d30be491625b744
f14b1a91ed1ecd365088ba6de5846788f86689c6c2f2182855d5e0954d62af3b
https://markettrendingcenter.com/member.htm
0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b
11b5944715da95e4a57ea54968439d955114088222fd2032d4e0282d12a58abb
4216f63870e2cdfe499d09fce9caa301f9546f60a69c4032cb5fb6d5ceb9af32
5098ec21c88e14d9039d232106560b3c87487b51b40d6fef28254c37e4865182
660e60cc1fd3e155017848a1f6befc4a335825a6ae04f3416b9b148ff156d143
829eceee720b0a3e505efbd3262c387b92abdf46183d51a50489e2b157dac3b1
9d18defe7390c59a1473f79a2407d072a3f365de9834b8d8be25f7e35a76d818
c677a79b853d3858f8c8b86ccd8c76ebbd1508cc9550f1da2d30be491625b744
f14b1a91ed1ecd365088ba6de5846788f86689c6c2f2182855d5e0954d62af3b
https://markettrendingcenter.com/member.htm