The United States Federal Bureau of Investigation says that the Lazarus Group is a North Korean "state-sponsored hacking organization". According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.
About a year ago Lazarus was seen conducting a phishing campaign where they would target security researchers on various social media platforms pretending to be other researchers looking to collaborate. Google’s Threat Analysis Group (TAG) said the adversary created a research blog and multiple profiles on various social media platforms such as Twitter, LinkedIn, Telegram, Discord, and Keybase in a bid to communicate with the researchers and build trust. The Malwarebytes Threat Intelligence team was able to spot a new campaign on Jan 18th, 2022. In this campaign, Lazarus conducted spear phishing attacks weaponized with malicious documents that use their known job opportunities theme, this time masquerading as the American security and aerospace company Lockheed Martin.
Lazarus would send malicious Microsoft Word documents which when opened, would trigger the execution of a macro embedded within the document that would execute a Base64-encoded payload that injects several functions into the explorer.exe process. The major difference between the previous campaign and this one comes next when one of the loaded binaries, “drops_lnk.dll,” uses the Windows Update client to run a second module called “wuaueng.dll.” The purpose of this module is to establish a connection with a command-and-control server; in this case Lazarus is using a Github repository filled with PNG files embedded with malicious code.
Although these two campaigns differ in several ways Malwarebytes said the links to Lazarus are based on several pieces of evidence including infrastructure overlaps, document metadata, and the use of job opportunities to lure their victims.
readme.png - 4216f63870e2cdfe499d09fce9caa301f9546f60a69c4032cb5fb6d5ceb9af32
wuaueng.dll - 829eceee720b0a3e505efbd3262c387b92abdf46183d51a50489e2b157dac3b1
stage1_winword.dll - f14b1a91ed1ecd365088ba6de5846788f86689c6c2f2182855d5e0954d62af3b
stage2_explorer.dll - 660e60cc1fd3e155017848a1f6befc4a335825a6ae04f3416b9b148ff156d143
drops_lnk.dll - 11b5944715da95e4a57ea54968439d955114088222fd2032d4e0282d12a58abb
stage3_runtimebroker.dll - 9d18defe7390c59a1473f79a2407d072a3f365de9834b8d8be25f7e35a76d818
core_module.dll - c677a79b853d3858f8c8b86ccd8c76ebbd1508cc9550f1da2d30be491625b744
GetBaseInfo.dll - 5098ec21c88e14d9039d232106560b3c87487b51b40d6fef28254c37e4865182