The suspected North Korean APT collective known as the Lazarus Group appears to be targeting individuals associated with U.S. defense contractors, including prospective employees, with phishing emails that display fake job listings and companies' internal policies.
According to a blog post by Palo Alto Networks' Unit 42 division, this newly discovered campaign uses the same infrastructure, tools, tactics, and files that were employed in the 2014 Sony Pictures hack, as well as a recent campaign, detailed in April, that targeted Korean-speaking individuals. Therefore, researchers contend that this latest attack is being carried out by the same group that either spearheaded or closely collaborated on these earlier campaigns, both of which were allegedly executed by Lazarus.
To infect victims, the attackers are using Microsoft Office document files – most likely hosted on compromised servers and distributed via phishing emails – that are weaponized with the same malicious VBA macros that were found in the previous campaign targeting Korean speakers.
But this time, the decoy documents are written in English. One such document describes a purported job opening for a mechanical engineering integration manager for the THAAD interceptor, an anti-ballistic missile defense system, while another shows a job listing for a director of sales and business development at Sikorskys Mission Equipment.
The final malware payload is "extremely similar" to the one used in the campaign targeting Korean-speakers, notes the blog post, authored by Palo Alto researchers Anthony Kasza and Micah Yates.
"The payload is a pretty generic backdoor that gives the attacker the ability to execute commands on the infected system," said Ryan Olson, intelligence director at Unit 42. "While this capability is rather simple, it acts as a foothold in the network which would allow the attacker to install additional tools or attempt to spread laterally to other hosts in the network." Clearly, such abilities are especially alarming when the infected machine belongs to an individual working within the defense sector.
The decoy documents distributed in both the latest campaign and the previous one targeting Korean-speakers both feature the same metadata author "ISkyISea," and both campaigns share of the same IPv4 addresses for hosting the Word documents on command-and-control servers.
Palo Alto researchers also found plenty of ties between this new operation and the Sony Pictures hack, such as the "reuse of macro source code, XOR keys used within the macro to decode implant payloads, and the functional overlap in the payloads the macros write to disk." Other shared techniques include "use of a fake TLS communications protocol, encoded strings within samples, filenames and contents of batch files embedded within implants, as well implants beaconing directly to IPv4 addresses (and not resolving domains for command and control)."
According to the blog post, there is little reason to believe that this threat actor will stop reaching its same bag of tricks, considering that it has continued to do so even after being publicly exposed.