SE IDENTIFICÓ ATAQUES DEL GRUPO CIBERCRIMINAL LAZARUS DIRIGIDOS A ORGANIZACIONES EN RUSIA
2019-02-20 • Secure Soft • Attacks by the Lazarus cybercriminal group targeting organizations in Russia were identified •
Attachments
The Spanish-language report describes Lazarus activity targeting Russia-based organizations with malicious Office documents delivered in ZIP files alongside a benign StarForce Technologies NDA PDF lure. The infection chain uses a malicious macro to download a VBS script from Dropbox, then retrieves a CAB file, extracts the KEYMARBLE executable with the Windows expand utility, and runs it. KEYMARBLE is described as a RAT that contacts C2 infrastructure and waits for operator commands, with listed indicators including 194.45.8.41 and 37.238.135.70 plus multiple malware hashes.