According to the U.S. government, Lazarus is linked to the political regime in North Korea
During the ESET World 2022 conference, experts from ESET, a leading proactive threat detection company, presented new research on the Lazarus APT group. The director responsible for ESET Threat Research, Jean-Ian Boutin, went over new campaigns practiced by the Lazarus group against defense companies worldwide between the end of 2021 and March 2022.
In the relevant attacks from 2021-2022, and according to ESET’s telemetry, Lazarus targeted companies in Europe (France, Italy, Germany, the Netherlands, Poland, and Ukraine) and Latin America (Brazil).
Although the main goal of Lazarus’ operation was cyber espionage, the criminals also tried unsuccessfully to extract money. “The Lazarus threat group showed its engineering by implementing a set of tools, which includes, for example, a user mode component capable of exploiting a Dell vulnerability check to write to kernel memory. This advanced trick was used in an attempt to bypass the monitoring of security solutions,” said Jean-Ian Boutin.
During 2020, ESET experts had documented a campaign conducted by a subset of Lazarus against European contractors of companies providing services to the defense and aerospace industries, calling the operation In(ter)ception. This campaign was highlighted as it used social networks, especially LinkedIn, to build trust between the scammer and an unsuspecting employee before sending malicious components disguised as job descriptions or applications. At this point, companies in Brazil, the Czech Republic, Qatar, Turkey, and Ukraine had already been attacked.
ESET’s research team believes that the action was primarily aimed at attacking European companies, but upon tracking several Lazarus subgroups running similar campaigns against defense contractors, they soon realized that the campaign extended much further. While the types of malware used in various campaigns were different, the initial modus operandi was always the same: a fake recruiter contacted an employee via LinkedIn and ultimately sent malicious components.
In this sense, the group continued with the same technology as in the past. However, ESET has documented the reuse of legitimate elements from recruitment campaigns to add legitimacy to the campaigns of the fake recruiters. In addition, the scammers used services such as WhatsApp or Slack in their malicious campaigns.
Lazarus fake recruitment campaign
In 2021, the U.S. Department of Justice charged three IT programmers with cyber attacks while working for the North Korean military. According to the US government, they belonged to North Korea’s military hacking unit, known in the information security community as the Lazarus Group.
Along with the new investigation into Lazarus, during its annual conference, ESET presented its report on “Past and Present Cyber Warfare in Ukraine.” ESET researcher Robert Lipovský took an in-depth look at the situation, including the latest attempt to disrupt the country’s power grid using Industroyer2 and several wiper attacks.
*** Translated by DEFCONPress Team ***