Notorious North Korean APT lures victims into downloading malware with fake documents that are made to look like they belong to Airbus, General Motors, or Rheinmetall.
The Lazarus group is spreading malicious documents that are designed to trick job-seeking engineers into thinking they are sent by defense contractors.
Researchers at AT&T Alien Labs have been tracking Lazarus activities for months. According to AT&T Alien Labs’ Fernando Martinez, an investigation revealed that the individuals behind the phishing scheme pretended to be representatives of major defense contractors such as Airbus and General Motors. The engineering targets were located in the US and Europe.
They detected the new campaign when Twitter users reported several malicious documents from May to June of this year.
The researchers identified three different documents which contained macros, Martinez wrote.
“The core techniques for the three malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros,” he wrote.
Due to the use of compromised third-party infrastructure for communications and Microsoft Office macros, the latest attacks are “in line with the Lazarus’ past campaigns,” Martinez wrote. “We continue to see Lazarus using the same tactic, techniques, and procedures that we have observed in the past.”
While the main techniques used in the three malicious documents are the same as before, the attackers made new efforts to evade detections and increase the capabilities of the macros. Also the new campaigns have different methods of carrying out malicious activities, researchers noted.
One of the new features is that the macros try to obscure their activities by renaming Certutil, a command-line program in Microsoft Docs.
The ultimate goal of the payloads is to perform arbitrary code injection into a running process by using the Mavinject.exe component.
However, researchers noted a progression in the process of injection, where explorer.exe was used to do “the dirty work:”
“The macro executes the mentioned payload with an updated technique,” Martinez wrote. “The attackers are no longer using Mavinject, but directly executing the payload with explorer.exe, significantly modifying the resulting execution tree.”
Once the payload is executed, the macro will execute it and send its beacon to the C&C, which will try to wipe the temporary files to remove any evidence of malicious activities.