Security experts at Check Point have uncovered a cyber espionage campaign carried out by Lazarus aimed at Russian targets,
If the attribution is correct, this is the first time that North Korean cyber spies were targeting Russian entities.
“For the first
The experts believe the attacks were carried out by the Bluenoroff threat actor, a division of the dreaded Lazarus APT group, that was financially motivated.
Bluenoroffis one of the most active groups in terms of attacks against financial institutions and is trying to actively infect different victims in several regions and trading companies in Bangladesh in 2014 and the now famous $81million Cyber-Heist of the Bangladesh central
The final payload used in this campaign is the KEYMARBLE backdoor that is downloaded from a compromised server in the form of a CAB file disguised as a JPEG image. (http://37.238.135[.]70/img/anan.jpg).
The compromised server used by threat actors is an unconvincing website for the “Information Department” of the “South Oil Company”. The server is hosted by EarthLink Ltd. Communications&Internet Services and located in Iraq
The infection chain used in this campaign comprises three primary steps:
At some point during the campaign, the attackers changed tactic and started to skip the second stage using Word macros that downloads and executes the backdoor directly.
Why should North Korea spy on Russian entities?
It is difficult to say, considering the good relationship between the two countries, anyway, we cannot exclude that a third-party actor user false flags to disguise itself.