The reputed North Korean APT actor known as Lazarus Group (aka Hidden Cobra) typically focuses its hacking efforts on South Korea, Japan and the U.S., but one of its suspected campaigns from last January surprisingly appears to have targeted Russian businesses with its signature Lazarus backdoor malware.

Taking place from Jan. 26-31, the phishing campaign featured emails containing content written in Cyrillic characters, but with code pages written in Korean, according to a blog post published by Check Point Software Technologies, whose researchers uncovered the operation. Furthermore, Check Point says the only samples of the malware uploaded to VirusTotal have come from Russian sources, which suggests that the targeting was no fluke.

The emails bore .zip attachments containing two documents: a benign decoy PDF document and a malicious Office document, either Word or Excel. Enabling the macros in these documents would trigger the downloading and execution of a VBScript from a Dropbox URL. This script, in turn, would then download a CAB file from a compromised server located in Iraq. This CAB file contained the embedded backdoor, which the script would execute by abusing Windows' expand.exe utility tool.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.