The notorious Lazarus cyber criminal group has been identified as being behind a phishing campaign spreading malicious documents to job-seeking engineers. The ploy involves impersonating contractors seeking job candidates. Attached to the emails are Windows documents containing macro-based malware, “which has been developed and improved during the course of this campaign and from one target to another”, researchers said.
The core techniques for the malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros. In February, researchers linked a 2020 spear phishing campaign to the group that aimed at stealing critical data from companies by leveraging an advanced malware called ThreatNeedle.
Previously, researchers had observed activity by Lazarus to try to lure victims with fake job opportunities from Boeing and BAE systems. They were alerted to the new campaign when Twitter users identified several documents from May to June of this year that were linked to Lazarus group using Rheinmetall, GM and Airbus as lures. Specifically, those malicious documents were: “Rheinmetall_job_requirements.doc”, “General_motors_cars.doc” and “Airbus_job_opportunity_confidential.doc”.
The campaigns using the three new documents have similarities in command and control (C&C) communication but different ways of executing malicious activity. Lazarus distributed two malicious documents related to Rheinmetall, a German engineering company. However, the second included “more elaborate content,” and thus went likely unnoticed by victims. One unique aspect of the macro contained in the initial malicious document is that it renames Certutil, a command-line program in Microsoft Docs installed as part of Certificate Services, in an attempt to obscure its activities.
The ultimate payload of the Rheinmetall document uses Mavinject.exe, a legitimate Windows component that has been used and abused before in malware activity, to perform arbitrary code injections inside any running process, researchers wrote. Attackers use a compromised domain as the C&C server in this case, while the GM document included an attack vector similar to the Rheinmetall one with minor updates in the C&C communication process, researchers found. However, the C&C domain used in relation to this malicious activity, allgraphicart[.]com, no longer appears to be compromised.
The Airbus document macro, like the Rheinmetall attack, used and renamed Certutil as an evasive manoeuvre and shared similar C&C communications tactics. However, it also demonstrated a progression of injection and execution processes that abandons the previous use of Mavinject to do its dirty work.
Once the payload has been executed, the macro in the Airbus document waits for three seconds before creating of an .inf file in the same folder. Then, whether it was successfully executed or not, the macro will proceed to send the beacon to the C&C with the execution status and delete all the temporary files, attempting to eliminate any evidence of malicious activities. Lazarus were one of the most active threat groups of 2020, and this dangerous attack doesn’t look like it’ll be the last they orchestrate this year.
To protect your business from cyber attacks from the likes of Lazarus, why not take Neuways’ Cyber Security Rating report? It’ll tell you whether or not your business’ existing cyber security provisions are appropriate for your business needs. Most businesses think they have everything they need in place already, however, it is important to be doubly sure. Not only does our report tell you where your business is succeeding in its cyber security measures, but where you need to improve. Take the test today to find out!