Delaware, USA – February 21, 2019 – The notorious Lazarus APT group was noticed coming against Russian organizations with customized Office documents composed for the victim market. Against all the odds, the North Korean angeled Lazarus sets sights on their friend’s businesses.
The attack started with delivering a ZIP archive with a sideshow PDF and malicious Word file with an embedded script that downloaded Visual Basic script that was further executed as the next step of the system injection, and finally downloaded the CAB with the backdoor and executed it. However, after a while, the mechanism was modified and the Office document already contained the macros to get the Keymarble trojan to a place and to execute it.
The abovementioned Keymarble is one of the numerous malware linked to Lazarus activities. Like most of the group’s tools, the trojan has a wide range of capabilities, including executing other payloads and executing shell commands.
Lazarus group consists of several divisions and carries out not only cyber heists like FastCash operation but also cyber espionage campaigns. Previously, the APT group has never conducted operations against Russia, more interested in the US, Europe, and Asia, and regular updates of their toolkit continue to keep security units in organizations worldwide in a high state of readiness. To secure your organization against such attacks, you can use APT Framework rule pack that provides higher-level analysis and cross-correlation of lower-level incidents enhancing the visibility of advanced and persistent threats, as well as identifying sudden spikes in activity that may be of interest or indicate an ongoing attack: https://my.socprime.com/en/integrations/apt-framework-arcsight