The reputed North Korean APT actor known as Lazarus Group (aka Hidden Cobra) typically focuses its hacking efforts on South Korea, Japan and the U.S., but one of its suspected campaigns from last January surprisingly appears to have targeted Russian businesses with its signature Lazarus backdoor malware.
Taking place from Jan. 26-31, the phishing campaign featured emails containing content written in Cyrillic characters, but with code pages written in Korean, according to a blog post published by Check Point Software Technologies, whose researchers uncovered the operation. Furthermore, Check Point says the only samples of the malware uploaded to VirusTotal have come from Russian sources, which suggests that the targeting was no fluke.
The emails bore .zip attachments containing two documents: a benign decoy PDF document and a malicious Office document, either Word or Excel. Enabling the macros in these documents would trigger the downloading and execution of a VBScript from a Dropbox URL. This script, in turn, would then download a CAB file from a compromised server located in Iraq. This CAB file contained the embedded backdoor, which the script would execute by abusing Windows' expand.exe utility tool.
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.