At the annual conference of the global cyber security company ESET, the researchers of ESET have presented a new investigation on the notorious APT (Advanced Persistent Threat) Lazarus group.
Jean-Ian Boutin, ESET's Director of Threat Research, analyzed several new campaigns carried out by the Lazarus team against defense companies around the world from late 2021 to March 2022.
In the relevant attacks of the period 2021-2022 and according to ESET telemetry, the Lazarus team targeted companies in Europe (France, Italy, Germany, the Netherlands, Poland and Ukraine) and Latin America (Brazil).
Although the main purpose of this Lazarus operation is cyber espionage, the team has also tried to extract money (unsuccessfully).
"The Lazarus team showed ingenuity by developing an interesting set of tools, including, for example, a user mode component that is able to exploit a vulnerable Dell driver to write to the kernel memory. This advanced trick was used in an attempt to bypass it monitoringof security solutions" says Jean-Ian Boutin.
As early as 2020, ESET researchers had recorded a campaign called In (ter) caption, in which a Lazarus subgroup targeted European aerospace and defense companies. This campaign was notable, as the group used social media, particularly LinkedIn, to build trust between the attacker and an unsuspecting employee before sending malicious disguise information in the form of job descriptions or applications. Companies in Brazil, the Czech Republic, Qatar, Turkey and Ukraine were already in the spotlight at the time.
ESET researchers believed that the activity was mostly aimed at European companies, but following a series of Lazarus sub-groups running similar campaigns against defense companies, they soon realized that the campaign was expanding. Although the malware used in the campaigns was different, the original mode of operation (modus operandi) always remained the same: a supposed recruiter communicated via LinkedIn with an employee and eventually sent the malware.
In this respect, they have continued to act in the same way as in the past. However, ESET researchers have also found that evidence from a genuine recruitment campaign was used to legitimize the group's fake recruitment campaigns.
In addition, attackers have used services such as WhatsApp or Slack in their malicious campaigns.
Misleading recruitment campaign by the Lazarus team
In 2021, the US Department of Justice indicted three computer programmers for cyber-attacks while working for the North Korean military. According to the US government, they belonged to the North Korean military hacker unit, known to the infosec community as the Lazarus Group.
In parallel with the new research on Lazarus, ESET presented during its annual conference the topic "Past and Present Cyberwar in Ukraine" (Cyber War in Ukraine, Past and Present).
ESET researcher Robert Lipovský took an in-depth look at cyberwarfare during Russia's invasion of Ukraine – including the recent attempt to disrupt the country's power grid using Industroyer2 and various attacks wiper.
Finally, at the ESET World conference, the former commander of the International Space Station, Canadian astronaut Chris Hadfield and a key figure in the Progress campaign protected of ESET and ESET CEO Richard Marko discussed the specifics of technology, science and life.