New Lazarus Campaign Targets Those In The Defence industry

Qualys Senior Engineer of Threat Research Akshat Pradhan has identified a new campaign from Lazarus hackers targeting the defense industry with fake Lockheed Martin job offers.

The Qualys Research Team recently identified a new Lazarus campaign using employment phishing lures targeting the defence sector. The identified variants target job applicants for Lockheed Martin Corporation, which is an American aerospace, arms, defence, information security, and technology corporation. This is thematically similar to other observed variants where Lazarus has posed as defence companies like Northrop Grumman and BAE Systems with job openings. We refer to this campaign as “LolZarus” due to the use of different lolbins in observed samples, some of which are the lolbin’s first recorded usage by a well-known adversary.

The campaign works by attacking hopeful job applicants in the defense industry by sending targeted phishing documents pretending to offer employment opportunities. The documents contain malicious macros which trigger shellcode to hijack control flow, retrieve decoy documents and create Scheduled tasks for persistence.

Saryu Nayyar, CEO and Founder, Gurucul had this to say:

“These types of phishing attacks are a perfect example of how threat actors easily compromise systems in an organization. They are almost impossible to defend against despite email security and employee training. Outside of the initial compromise methodology, it is especially hard for security teams to identify this new attack out of the gate until a threat research team uncovers and analyzes the campaign. In this case is a new variant of attacks typically used by a known state-sponsored hacking group. The worst part is that it uses capabilities that mimic real activity to further hide malicious intent. Even with current XDR and traditional SIEM tools, it is a big challenge for security teams to identify the campaign once the initial compromise occurs based on the various techniques used because slight changes in creating the variant often circumvents these tools detection capabilities. Customers need to invest more in behavioral based analytics solutions, that not baselines normal user and asset activity, but can self-learn what is normal and abnormal in order to better prioritize threat activity. Rule-based machine learning (ML) models cannot do this pro-actively and require a vendor update based on the discovered research. This does not provide immediate detection against these previously-unknown variants.”

This campaign highlights the fact that everyone needs to be trained to not get fooled by these phishing attacks. Here’s some tips to avoid being that person or company who gets pwned.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: