The infamous Lazarus advanced persistent threat (APT) group has been identified as the cybergang behind a campaign spreading malicious documents to job-seeking engineers. The method involves impersonating defence contractors seeking job candidates.
Notorious North Korean APT impersonates Airbus, General Motors & Rheinmetall to lure potential victims into downloading malware.
Researchers have been tracking Lazarus activity for months with engineering targets in the US & Europe, according to a report published online by AT&T Alien Labs.
States the report’s author, Fernando Martinez, emails sent to prospective engineering candidates by the APT pretend to be from known defence contractors Airbus, General Motors (GM) & Rheinmetall.
Attached to the emails are Windows documents containing macro-based malware, “which has been developed & improved during the course of this campaign & from 1 target to another,” Martinez wrote.
“The core techniques for the 3 malicious documents are the same, but the attackers attempted to reduce the potential detections & increase the faculties of the macros,” he wrote.
The campaign is just the latest by Lazarus that targets the defence industry. In Feb., researchers linked a 2020 spear phishing campaign to the APT that aimed at stealing critical data from defence companies by using an advanced malware named Threat Needle.
Microsoft Office Macros
With its use of Microsoft Office Macros & compromised 3rd-party infrastructure for communications, the latest attacks have Lazarus written all over them, remaining “in line with the Lazarus’ past campaigns,” Martinez wrote.
“Attack lures, potentially targeting engineering professionals in govt. organisations, showcase the importance of tracking Lazarus & their evolution,” he wrote. “We continue to see Lazarus using the same tactic, techniques, & procedures that we have observed in the past.”
AT&T Alien Labs researchers previously had observed activity by Lazarus to try to tempt victims with fake job opportunities from Boeing & BAE systems. They were alerted to the new campaign when Twitter users identified several documents from May-June of this year that were linked to Lazarus group using Rheinmetall, GM & Airbus as lures, Martinez wrote.
Those malicious documents were: “Rheinmetall_job_requirements.doc”: identified by ESET Research; “General_motors_cars.doc“: identified by Twitter user @1nternaut; & “Airbus_job_opportunity_confidential.doc“: identified by 360CoreS.
Command & Control
The campaigns using the 3 new documents are similar in command & control (C&C) communication but different ways of executing malicious activity, researchers found.
Lazarus distributed 2 malicious documents related to Rheinmetall, a German engineering company focused on the defence & automotive industries. However, the 2nd included “more elaborate content,” & thus went likely went unnoticed by victims, Martinez wrote.
One unique aspect of the macro contained in the initial malicious document is that it renames Certutil, a command-line program in Microsoft Docs installed as part of Certificate Services, in an attempt to obscure its activities.
Arbitrary Code Injections
The ultimate payload of the Rheinmetall document uses Mavinject.exe, a legitimate Windows component that has been used & abused before in malware activity, to perform arbitrary code injections inside any running process, Martinez wrote. Attackers use a compromised domain as the C&C server in this case, Martinez added.
The GM document included an attack method similar to the Rheinmetall one with minor updates in the C&C communication process, researchers found. However, the C&C domain used in relation to this malicious activity, allgraphicart[.]com, no longer appears to be compromised, Martinez noted.
The Airbus document macro, like the Rheinmetall attack, used & renamed Certutil as an evasive manoeuvre & shared similar C&C communications tactics. It also showed a progression of injection & execution processes that abandons the previous use of Mavinject to do its dirty work, researchers discovered.
“The macro executes the mentioned payload with an updated technique,” Martinez wrote. “The attackers are no longer using Mavinject, but directly executing the payload with explorer.exe, significantly modifying the resulting execution tree.”
Once the payload has been executed, the macro in the Airbus document waits for 3 seconds before creating of an .inf file in the same folder.
Then, whether it was successfully executed or not, the macro will proceed to send the beacon to the C&C with the execution status & delete all the temporary files, attempting to eliminate any evidence of malicious activities, researchers observed.
With the prolific nature of Lazarus—named “the most active” threat group of 2020 by Kaspersky —the latest attack against engineers “is not expected to be the last,” Martinez noted.
“Attack lures, potentially targeting engineering professionals in government organisations, showcase the importance of tracking Lazarus & their evolution,” he wrote.