Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

North Korea’s Lazarus Hackers Found Targeting Russian Entities

It has long been thought that Russia is a no-go area for North Korean hacking group Lazarus. Russia is one of North Korea’s few friends, along with China. 

It has long been thought that Russia is a no-go area for North Korean hacking group Lazarus. Russia is one of North Korea’s few friends, along with China. 

Now, however, Check Point researchers have detected what they suspect is a Lazarus attack on Russian targets. “For the first time,” it announces in a blog post today, “we were observing what seemed to be a North Korean coordinated attack against Russian entities.”

Check Point believes the attacks emanate from the Bluenoroff division of Lazarus. Bluenoroff is believed to be primarily tasked with ‘monetization’, while a separate division, named Andariel, is tasked with targeting South Korean entities.

Lazarus (probably Bluenoroff) is believed to be behind some of the most notorious attacks of the last few years, including the Sony Pictures Entertainment, and the $81 million Bangladesh bank theft

Key to Check Point’s belief that this is a Lazarus campaign is the final payload — a versatile Lazarus backdoor that has been named KEYMARBLE by the US-CERT. A DHS report from August 2019 describes KEYMARBLE as a RAT that uses “a customized XOR cryptographic algorithm… to secure its data transfers and command-and-control (C2) sessions. It is designed to accept instructions from the remote server.”

The infection flow used in this campaign comprises three primary steps. The first is an attached ZIP file containing a benign decoy PDF and a Word document containing malicious macros. In one example, the benign document contains an NDA for StarForce Technologies, a Russia-based company that provides copy-protection solutions. The malicious Word macros download a VBS script from a Drobox URL. The VBS script executes and downloads a CAB file from a compromised server, extracts the payload and executes it.

At some point during the campaign, however, the attackers decided to skip the second stage. They modified the malicious Word macros to download and execute the backdoor directly.

“A closer look at the compromised server shows an unconvincing website for the ‘Information Department’ of the ‘South Oil Company’,” writes Check Point. “The server is located in Iraq and hosted by EarthLink Ltd. Communications&Internet Services.” The CAB file is disguised as a JPEG image.

Advertisement. Scroll to continue reading.

The real surprise in this campaign is that North Korea should now treat Russia as a target — and there will be questions over whether this is a false flag attack from some other party. Check Point is, however, confident. “While attributing attacks to a certain threat group or another is problematic,” it states, “the analysis… reveals intrinsic connections to the tactics, techniques and tools used by the North Korean APT group — Lazarus.”

If the attribution is right, the interesting geo-political question is why should North Korea turn against a ‘friendly’ nation? It could, of course, be as simple as revenge. Just one year ago, cyber-attacks against the South Korean PyeongChang Winter Olympic Games were rapidly attributed to North Korea. One month later, Kaspersky announced that the malware used contained sophisticated false flags. One theory is that it originated from Russia, another is that it was China.

Other false flag options could include a criminal gang trying to disguise itself, or any one of numerous western nations trying to sow discord between North Kora and Russia. Or it could simply be that for some reason, Russia is now on the Lazarus list of acceptable targets.

Related: False Flags and Mis-Direction in Hacker Attribution 

Related: U.S. Charges North Korean Over Lazarus Group Hacks 

Related: Was North Korea Wrongly Accused of Ransomware Attacks? 

Related: North Korean Attacks on Banks Attributed to ‘APT38’ Group 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...