Lazarus Group: The North Korean Hacking Bureau 121 division, commonly known as the Lazarus Group or the Bluenoroff Group, has recently targeted a cryptocurrency exchange according to researchers at F-Secure. The name of the targeted exchange was not released. Lazarus used the human element in their most recent attack by sending a malicious document to an administrator’s account on LinkedIn. The document related to a blockchain technology company seeking a new sysadmin with the employee’s skill set. The document is similar to other phishing documents that have been identified from the Lazarus group and publicly accessible on VirusTotal. The document that was sent needed macros to be enabled to carry out the infection chain. The group claimed the document was protected under the EU’s General Data Protection Regulation (GDPR) to trick users into enabling macros. Once macros were enabled, a .LNK file executed the Windows system tool mshta.exe and called out to a bit.ly link and downloaded a VBScript. The script conducts system checks and sends information to the Command and Control (C2) server which in turn provides a PowerShell script to fetch malware payloads. Depending on the system, different malware will be downloaded—two different backdoors were available and are similar to others used by the group. The threat actor is also using a custom Portable Executable (PE) loader. The PE is loaded into the lsass.exe process as a security package by masquerading as a “Security Package” via the “HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages” registry key. That registry key was modified remotely via scheduled tasks that call reg.exe, created by using the schtasks.exe Windows utility. Lazarus is also using a custom version of Mimikatz to harvest credentials from the infected machine. Other malware variants allow the group to connect backdoors to other target hosts, among other things.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in