North Korea’s Lazarus APT targets Russian Entities

Security researchers at Check Point have uncovered a cyber espionage campaign conducted by Lazarus APT group aimed at Russian targets.

Security experts at Check Point have uncovered a cyber espionage campaign carried out by Lazarus aimed at Russian targets,

If the attribution is correct, this is the first time that North Korean cyber spies were targeting Russian entities.

“For the first time we were observing what seemed to be a coordinated North Korean attack against Russian entities. While attributing attacks to a certain threat group or another is problematic, the analysis below reveals intrinsic connections to the tactics, techniques and tools used by the North Korean APT group – Lazarus.” reads the analysis published by CheckPoint.

The experts believe the attacks were carried out by the Bluenoroff threat actor, a division of the dreaded Lazarus APT group, that was financially motivated.

Bluenoroffis one of the most active groups in terms of attacks against financial institutions and is trying to actively infect different victims in several regions and trading companies in Bangladesh in 2014 and the now famous $81million Cyber-Heist of the Bangladesh central bank’s account at the Federal Reserve Bank of New York.

The final payload used in this campaign is the KEYMARBLE backdoor that is downloaded from a compromised server in the form of a CAB file disguised as a JPEG image. (http://37.238.135[.]70/img/anan.jpg).

The compromised server used by threat actors is an unconvincing website for the “Information Department” of the “South Oil Company”. The server is hosted by EarthLink Ltd. Communications&Internet Services and located in Iraq.

The infection chain used in this campaign comprises three primary steps:

The first is an attached ZIP file containing a benign decoy PDF and a weaponized Word document containing malicious macros. One of the decoy documents observed in this campaign contains an NDA for StarForce Technologies, a Russia-based firm that provides copy-protection solutions.
The macros in the Word document download a VBS script from a Drobox URL and execute a VBS script.
The VBS scrip downloads and execute a CAB file from a compromised server, extracts the payload and executes it.

At some point during the campaign, the attackers changed tactic and started to skip the second stage using Word macros that downloads and executes the backdoor directly.

Why should North Korea spy on Russian entities?

It is difficult to say, considering the good relationship between the two countries, anyway, we cannot exclude that a third-party actor user false flags to disguise itself.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Lazarus, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.