Foreign adversaries pose threats to US national security, but researchers at Check Point believe that the advanced persistent threat (APT) group known as Lazarus is now targeting Russian organizations.
In a February 19 blog post, Check Point revealed findings from research that suggests the North Korean APT known as both Lazarus and Hidden Cobra has launched the first attack on financial institutions in Russia.
“This incident represents an unusual choice of victim by the North Korean threat actor – these attacks tend to reflect the geopolitical tensions between the DPRK and nations such as the US, Japan and South Korea. In this case, though, it is Russian organizations who are the targets,” researchers wrote.
Researchers have been monitoring this coordinated attack on private, Russian-owned companies, calling it the first cyber-attack of its kind. Evidence suggests that the attack is the work of Lazarus, one of the most prevalent APT groups today, believed to be a North Korean–sponsored threat actor responsible for some of the world's largest security breaches.
Several documents in this campaign, all with the author name home and a Korean code page, were uploaded to VirusTotal from different Russian sources during the week of January 26–31, 2019, the blog noted. What researchers have identified is that the attack consists of three main steps in the infection chain:
- A ZIP file , which contains two documents: a benign decoy PDF document and a malicious Word document with macros [is opened].
- The malicious macro downloads a VBS script from a Dropbox URL, followed by the VBS script execution.
-
The VBS script downloads a CAB file from the drop-zone server, extracts the embedded EXE file (backdoor) using Windows’ "expand.exe" utility, and finally executes it.
Interestingly, though, the tactics change at a certain point. The second step of the process is eliminated and "the malicious Word macros were modified to directly 'download and execute' the Lazarus Backdoor in stage three," researchers wrote.