The reputed North Korean APT actor known as Lazarus Group (aka Hidden Cobra) typically focuses its hacking efforts on South Korea, Japan and the U.S., but one of its suspected campaigns from last January surprisingly appears to have targeted Russian businesses with its signature Lazarus backdoor malware.
Taking place from Jan. 26-31, the phishing campaign featured emails containing content written in Cyrillic characters, but with code pages written in Korean, according to a blog post published by Check Point Software Technologies, whose researchers uncovered the operation. Furthermore, Check Point says the only samples of the malware uploaded to VirusTotal have come from Russian sources, which suggests that the targeting was no fluke.
The emails bore .zip attachments containing two documents: a benign decoy PDF document and a malicious Office document, either Word or Excel. Enabling the macros in these documents would trigger the downloading and execution of a VBScript from a Dropbox URL. This script, in turn, would then download a CAB file from a compromised server located in Iraq. This CAB file contained the embedded backdoor, which the script would execute by abusing Windows' expand.exe utility tool.
The malicious documents used lure images and error messages to try to trick recipients into enabling the malicious macros. A sample Excel document used the file name “Serial_Numbers.xls” while one of the Word doc samples appeared to be documentation from Los Angeles Superior Court.
"The campaign exhibits very similar macro code in both the XLS and DOC variants of the dropper. The macros themselves are very simple and straightforward, but in this case, keeping the macros simple and without any advanced obfuscation tricks, resulted in malicious documents that were able to pass undetected by many reputable security vendors on Virus Total," the blog post explains.
The decoy PDF that accompanied the Microsoft Office documents was what looked like a non-disclosure business agreement for StarForce technologies, a provider of software copy protection solutions.
Check Point says the version of Lazarus used in this campaign was a recent variant known as KEYMARBLE, a remote administration tool that allows the attackers to perform reconnaissance and retrieve information from the victimized machine.
"Once executed, it conducts several initializations, contacts a C&C server and waits indefinitely for new commands from it," the blog post states. "Each received command is processed by the backdoor and handled within an appropriate function, which in turn collects a piece of information or conducts an action on the target machine."