Lazarus campaign TTPs and evolution

2021-07-06 Att

https://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution

AT&T Alien Labs reports Lazarus-attributed malicious document activity in spring 2021 that targeted engineering job candidates or employees in classified engineering and defense-related roles in the United States and Europe. The lures impersonated Rheinmetall, General Motors, and Airbus opportunities, continuing the group's pattern of job-themed targeting against defense contractors and engineering organizations. The macro malware decoded embedded payloads with certutil, masqueraded activity under C:\Drivers, abused renamed Windows utilities such as Certutil, Explorer, and Mavinject, injected into explorer.exe, and contacted hardcoded HTTPS C2 infrastructure assessed as compromised third-party domains. The source highlights iterative changes across the documents to reduce detection while preserving the same core remote-template, macro, compromised-infrastructure, and proxy C2 tradecraft.

Indicators of Compromise

Type Value First Seen Last Seen
YARA LazarusCampaign_Payload_Jun2021 2021-07-06 2021-07-06
YARA LazarusCampaign_MacroDoc_Jun2021 2021-07-06 2021-07-06
HASH 9362425ae690b5bf74782eafe959195… 2021-07-06 2021-07-06
HASH ffec6e6d4e314f64f5d31c62024252a… 2021-07-06 2021-07-06
HASH 65f7211c3d7fde25154b4226a7bef07… 2021-07-06 2021-07-06
HASH 1690ce43530acf725f33aa30f715855… 2021-07-06 2021-07-06
HASH 97515b70184f4553e5ae6b51d06a148… 2021-07-06 2021-07-06
HASH 8e1746829851d28c555c143ce62283b… 2021-07-06 2021-07-06
HASH 5c206b4dc2d3a25205176da9a1129c9… 2021-07-06 2021-07-06
HASH ebd6663d1df8228684a0b2146b68ce1… 2021-07-06 2021-07-06
HASH 3b33b0739107411b978c3cbafb312a4… 2021-07-06 2021-07-06
HASH 294acafed42c6a4f546486636b4859c… 2021-07-06 2021-07-06
HASH f5563f0e63d9deed90b683a15ebd2a1… 2021-07-06 2021-07-06
HASH f53d4b3eb76851e88c6f30f1ecc6779… 2021-07-06 2021-07-06
HASH e6dff9a5f74fff3a95e2dcb48b81b05… 2021-07-06 2021-07-06
DOMAIN shopweblive.com 2021-07-06 2021-07-06
DOMAIN allgraphicart.com 2021-07-06 2021-07-06

Related Actors

Related Reports

2021-12-02 • 46% Match
#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1573.001 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004 #T0865
Shares tags: Lazarus, T1140, T1036
« Back