Pierluigi Paganini February 20, 2019

Security researchers at Check Point have uncovered a cyber espionage campaign conducted by Lazarus APT group aimed at Russian targets.

Security experts at Check Point have uncovered a cyber espionage campaign carried out by Lazarus aimed at Russian targets,

If the attribution is correct, this is the first time that North Korean cyber spies were targeting Russian entities.

“For the first time we were observing what seemed to be a coordinated North Korean attack against Russian entities. While attributing attacks to a certain threat group or another is problematic, the analysis below reveals intrinsic connections to the tactics, techniques and tools used by the North Korean APT group – Lazarus.” reads the analysis published by CheckPoint.

The experts believe the attacks were carried out by the Bluenoroff threat actor, a division of the dreaded Lazarus APT group, that was financially motivated.

Bluenoroffis one of the most active groups in terms of attacks against financial institutions and is trying to actively infect different victims in several regions and trading companies in Bangladesh in 2014 and the now famous $81million Cyber-Heist of the Bangladesh central bank’s account at the Federal Reserve Bank of New York.

The final payload used in this campaign is the KEYMARBLE backdoor that is downloaded from a compromised server in the form of a CAB file disguised as a JPEG image. (http://37.238.135[.]70/img/anan.jpg).

The compromised server used by threat actors is an unconvincing website for the “Information Department” of the “South Oil Company”. The server is hosted by EarthLink Ltd. Communications&Internet Services and located in Iraq.

The infection chain used in this campaign comprises three primary steps:

• The first is an attached ZIP file containing a benign decoy PDF and a weaponized Word document containing malicious macros. One of the decoy documents observed in this campaign contains an NDA for StarForce Technologies, a Russia-based firm that provides copy-protection solutions.
• The macros in the Word document download a VBS script from a Drobox URL and execute a VBS script.
• The VBS scrip downloads and execute a CAB file from a compromised server, extracts the payload and executes it.

At some point during the campaign, the attackers changed tactic and started to skip the second stage using Word macros that downloads and executes the backdoor directly.

Why should North Korea spy on Russian entities?

It is difficult to say, considering the good relationship between the two countries, anyway, we cannot exclude that a third-party actor user false flags to disguise itself.

Pierluigi Paganini

(SecurityAffairs – Lazarus, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]