Email with instructions on enabling macros #1Īfter sending the above email with explanations, the attackers realized that the target was using a different version of Microsoft Office and therefore required a different procedure for enabling macros.
#LAZARUS GROUP HOW TO#
In order to persuade the target to allow the malicious macro, the attacker sent another email showing how to enable macros in Microsoft Office. Our investigation showed that the initial spear-phishing attempt was unsuccessful due to macros being disabled in the Microsoft Office installation of the targeted systems. The content of the lure document was copied from an online post by a health clinic. The document contains information on the population health assessment program and is not directly related to the subject of the phishing email (COVID-19), suggesting the attackers may not completely understand the meaning of the contents they used.
#LAZARUS GROUP SOFTWARE#
The attackers were able to find this information on the medical center’s public website.Ī macro in the Microsoft Word document contained the malicious code designed to download and execute additional malicious software on the infected system. The signature shown in the phishing emails included the actual personal data of the deputy head doctor of the attacked organization’s medical center. The attackers registered accounts with a public email service, making sure the sender’s email addresses looked similar to the medical center’s real email address. Phishing email with links to malicious documents The phishing emails were carefully crafted and written on behalf of a medical center that is part of the organization under attack. The phishing emails claimed to have urgent updates on today’s hottest topic – COVID-19 infections. Before launching the attack, the group studied publicly available information about the targeted organization and identified email addresses belonging to various departments of the company.Įmail addresses in those departments received phishing emails that either had a malicious Word document attached or a link to one hosted on a remote server. In this attack, spear phishing was used as the initial infection vector. Customers of Kaspersky Intelligence reporting may contact: more information please contact.
#LAZARUS GROUP FULL#
The full article is available on Kaspersky Threat Intelligence. Moreover, based on the insights so far, it was possible to figure out the relationship with other Lazarus group campaigns. The attackers configured multiple C2 servers for various stages, reusing several scripts we’ve seen in previous attacks by the group.
So far organizations in more than a dozen countries have been affected.ĭuring this investigation we had a chance to look into the command-and-control infrastructure. We observed how they overcame network segmentation by gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the intranet network to their remote server. After gaining an initial foothold, the attackers gathered credentials and moved laterally, seeking crucial assets in the victim environment. The group made use of COVID-19 themes in its spear-phishing emails, embellishing them with personal information gathered using publicly available sources. While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns. In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. We have seen Lazarus attack various industries using this malware cluster before. After taking a closer look, we identified the malware used in those attacks as belonging to a family that we call ThreatNeedle. Google TAG has recently published a post about a campaign by Lazarus targeting security researchers. The group has changed target depending on the primary objective. We’ve observed numerous activities by this notorious APT group targeting various industries. We named Lazarus the most active group of 2020.
0 kommentar(er)
