At this year’s ESET World conference, ESET researchers presented their latest findings on the activities of the infamous Lazarus APT. ESET’s Director of Threat Research, Jean-Ian Boutin, took a closer look at several new campaigns from the Lazarus Group’s targeting defense suppliers between the end of 2021 and March 2022.
During these attacks, the Lazarus group targeted companies in Europe (France, Italy, Germany, the Netherlands, Poland and Ukraine) and Latin America (Brazil), according to ESET’s telemetry.
Although the primary purpose of the campaign was cyber espionage, the Lazarus group also tried unsuccessfully to lure money from the victims. “The Lazarus group has shown ingenuity by using really interesting tools. An example is a component that can exploit a vulnerability in the Dell driver and write to memory that is normally only accessible to the operating system kernel. This advanced trick was used in an attempt to circumvent the security solution. “ explains Jean-Ian Boutin.
As early as 2020, ESET researchers documented an operation called In (ter) ception by the Lazarus subgroup, which was directed against European airlines and defense suppliers. The campaign is worth noting as it used social networks, especially LinkedIn, to build trust between attackers and unsuspecting employees, to whom criminals subsequently sent malicious content disguised as job descriptions or applications. Even then, the attackers focused on companies in Brazil, the Czech Republic, Qatar, Turkey and Ukraine.
It was a global attack
ESET researchers initially believed that the attacks were aimed primarily at European companies, but by monitoring activities against defense industry vendors identified by several subgroups of the criminal organization Lazarus, they realized that the campaign went much further. While the malware used in the various campaigns was different, the basic principle of the attack was always the same. The fake recruiter contacted an employee on LinkedIne to send him a malicious document.
In this case, too, the attackers proceeded in the same way as in the past. However, ESET researchers have noticed that fraudsters have recycled elements of legitimate recruitment campaigns to make their fake campaigns more credible. In addition, attackers have used services such as WhatsApp and Slack to spread malicious content.
In 2021, the US Department of Justice charged three North Korean military programmers with cyber attacks. According to the US government, they belonged to a hacker unit of the North Korean army, known in the security community as the Lazarus Group.
ESET also reveals other activities
In addition to the latest findings on the Lazarus Group, ESET shared findings related to the war in Ukraine at the conference. ESET researcher Robert Lipovsky took a closer look at the cyber war during the Russian invasion of Ukraine, including an attempt to disrupt the power grid through the Industroyer2 malware and many wiper attacks.
The former commander of the International Space Station, Canadian astronaut Chris Hadfield, who is a key figure in the Progress campaign, also introduced himself at ESET World. Protected., Recently introduced by ESET. Chris Hadfield discussed technology, science and life issues during a conference with ESET CEO Richard Mark.
Source: ESET press release
