The second malicious document appears to include more elaborate content, which may have resulted in the documents going unnoticed by victims. The first two documents from early May 2021 were related to a German Engineering company focused on the defense and automotive industries, Rheinmetall. The core techniques for the three malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros. All of these documents contain macro malware, which has been developed and improved during the course of this campaign and from one target to another. The documents attempted to impersonate new defense contractors and engineering companies like Airbus, General Motors (GM), and Rheinmetall. General_motors_cars.doc: identified by Twitter user Airbus_job_opportunity_confidential.doc: identified by 360CoreSec.Rheinmetall_job_requirements.doc: identified by ESET Research.
Documents observed in previous campaigns lured victims with job opportunities for Boeing and BAE systems. Several documents identified from May to June 2021 by Twitter users were identified as being linked to the Lazarus group. The most publicly documented malware and tools used by the group actors include Destover, Duuzer, and Hangman. Since 2009, the known tools and capabilities believed to have been used by the Lazarus Group include DDoS botnets, keyloggers, remote access tools (RATs), and drive wiper malware. There is a high emphasis on renaming system utilities (Certutil and Explorer) to obfuscate the adversary’s activities ( T1036.003).Lazarus has been identified targeting defense contractors with malicious documents.Alien Labs will continue to report on any noteworthy changes. The purpose of this blog is to share the new technical intelligence and provide detection options for defenders. However, historical analysis shows the lures used in this campaign to be in line with others used to target these groups. This assessment is based on malicious documents believed to have been delivered by Lazarus during the last few months (spring 2021). AT&T Alien Labs™ has observed new activity that has been attributed to the Lazarus adversary group potentially targeting engineering job candidates and/or employees in classified engineering roles within the U.S.
0 kommentar(er)
