Lazarus Group Attacks: Enhancing Anti-Malware | SafeGuard Cyber

Recently, the infamous cybercrime collective Lazarus Group unleashed a malware campaign targeting job-seekers and known defense contracting organizations.

In this campaign, emails were sent to job seekers by the attackers who pretended to be part of known defense organizations. Recipients thought they were receiving emails from a potential employer. But the spoofed emails contained word documents that would use macros to infect the victim’s computer once enabled and then hide its activity to avoid detection.

This has prompted us to take a closer look at how Lazarus and similar advanced persistent threat (APT) groups and operations leverage social media, and why these attacks emphasize the need for robust cybersecurity measures,

Peering into the Lazarus Group Attack

The Lazarus Group, known by many other names, including Hidden Cobra, WhoIs Team, or ZINC, is a Korea-based APT and cybercrime organization.

The Lazarus Group has utilized zero-days, spear phishing, and malware campaign attacks against their targets. It has been attributed to some of the most notable cyberattacks in history, including the infamous 2017 WannaCry attack. According to the recent report published by AT&T, the Lazarus group has also been linked to several documents that lured job-seekers, particularly engineers, into fake job opportunities for BAE and Boeing systems.

Looking at the attack in greater depth, the Lazarus group crafted emails to look as though they came from major defense organizations such as Airbus, General Motors, and Rheinmetall. In these emails were a Word document that contained a malicious built-in macro. When opened, the document would prompt to enable macros, and if the victim did, this macro would infect the victim’s devices.

In this case, Lazarus successfully impersonated an employee of one of these major companies to lure unsuspecting users into opening the email and clicking the word document. Moreover, the report reveals that the macro malware the attackers used has been “developed and improved during this campaign and from one target to another.” The “documents” used in the malware campaign remained basically unchanged, but the attackers executed several iterations of the attack in an attempt to “reduce the potential detections and increase the faculties of the macros.”

Guide: Learn how to prevent ransomware attacks
and mitigate digital risks

Exploiting LinkedIn’s Digital Risk Surface

Social media accounts are a treasure trove of personal and sensitive information for cybercriminals. On LinkedIn, prominent APT groups and operations harvest a lot of information.

It was recently discovered that attackers had posted the data of over 700 million LinkedIn accounts to an online hacker forum. Even if that database had not been posted to the forum, the data is publicly available on LinkedIn, and actors can scrape it without compromising anything. With this data now available, cybercriminals, such as the Lazarus group, can now use this data to create and carry out phishing campaigns targeting groups of users, in this case, engineers.

Not only can the Lazarus group and other cyber attackers use this data to create more target lists for their campaigns, but they can also use the information to create more convincing fake accounts.

Emphasizing the Need for Cyber Defense

The only sure way to completely safeguard an organization against attacks that leverage platforms such as LinkedIn is not to have a presence at all. Of course, this is not a realistic approach in today’s digital world. Instead, enterprises must do everything they can to prepare themselves against APT groups and operations like those conducted by the Lazarus Group. Such steps include:

• Responsible Use of Social Media
  
  Users of social media platforms should be aware of how much information they post about themselves. The more information somebody posts about themselves, the bigger the target they become to potential social phishing attacks and malware campaigns. Only post what you want people to see and never post sensitive information that can be used against you.
• User Awareness and Training
  
  One of the biggest methods to defend an organization from these attacks is to provide user awareness and training on detecting and responding to potential phishing scams. Educating employees and executives about phishing tactics and response procedures goes a long way to protecting your company’s sensitive information.
• Deploying a Robust, Automated Defense Solution
  
  Another way organizations can protect themselves from these attacks is to deploy an automated and robust defense solution that alerts security personnel and administrators to social phishing and malware campaigns delivered through these social channels. A solution like this should provide automated file and messaging analysis and alerts on suspicious events on these social channels. Moreover, it should reduce mean time to detection (MTTD) and/or response (MTTR) so that enterprises can quickly address, respond to, and resolve such issues.

The Lazarus Group attack is only one of many attempts by cybercriminals to make a profit through phishing individuals on LinkedIn. These only emphasize the need for a comprehensive prevention and response plan. SafeGuard Cyber provides the capability to detect, analyze, and defend against attacks on messaging, collaboration, and social applications in real-time. Request a demo to see it in action.