ESET researchers presented a new investigation into the infamous Lazarus APT group at the annual ESET World conference. Jean-Ian Boutin, Director of ESET Threat Research, discussed various new campaigns carried out by the Lazarus group against defense contractors around the world between late 2021 and March 2022.
According to ESET telemetry, Lazarus targeted companies in Europe (France, Italy, Germany, the Netherlands, Poland, and Ukraine) and Latin America in the relevant 2021-2022 attacks (Brazil).
Despite the primary aim of this Lazarus operation being cyber-espionage, the group has also worked to exfiltrate money (unsuccessfully).
“The Lazarus threat group showed ingenuity by deploying an interesting toolset, including for example a user mode component able to exploit a vulnerable Dell driver in order to write to kernel memory. This advanced trick was used in an attempt to bypass security solutions monitoring,” says Jean-Ian Boutin.
As early as 2020, ESET researchers had documented a campaign called operation In(ter)ception waged by a sub-group of Lazarus against European aerospace and defense contractors. This campaign was notable because it used social media, specifically LinkedIn, to establish trust between the attacker and an unsuspecting employee before sending malicious components disguised as job descriptions or applications. Companies in Brazil, the Czech Republic, Qatar, Turkey, and Ukraine had already been targeted at the time.
ESET researchers initially thought the attack was primarily aimed at European companies, but after tracking a number of Lazarus sub-groups conducting similar campaigns against defense contractors, they discovered that the campaign was much broader. While the malware used in the various campaigns varied, the initial mode of operation (M.O.) remained consistent: a phony recruiter contacted an employee via LinkedIn and eventually sent malicious components.
In this regard, they’ve stuck to their previous strategy. However, ESET researchers have documented the re-use of legitimate hiring campaign elements to add legitimacy to the campaigns of their fake recruiters. Furthermore, the attackers have used services like WhatsApp and Slack in their malicious campaigns.
Along with ESET Research at ESET World, Canadian astronaut Chris Hadfield, a key figure in ESET’s Progress Protected campaign, has joined ESET CEO Richard Marko to discuss the complexities of technology, science, and life.
