Qualys Senior Engineer of Threat Research Akshat Pradhan has identified a new campaign from Lazarus hackers targeting the defense industry with fake Lockheed Martin job offers.
The Qualys Research Team recently identified a new Lazarus campaign using employment phishing lures targeting the defence sector. The identified variants target job applicants for Lockheed Martin Corporation, which is an American aerospace, arms, defence, information security, and technology corporation. This is thematically similar to other observed variants where Lazarus has posed as defence companies like Northrop Grumman and BAE Systems with job openings. We refer to this campaign as “LolZarus” due to the use of different lolbins in observed samples, some of which are the lolbin’s first recorded usage by a well-known adversary.
The campaign works by attacking hopeful job applicants in the defense industry by sending targeted phishing documents pretending to offer employment opportunities. The documents contain malicious macros which trigger shellcode to hijack control flow, retrieve decoy documents and create Scheduled tasks for persistence.
Saryu Nayyar, CEO and Founder, Gurucul had this to say:
“These types of phishing attacks are a perfect example of how threat actors easily compromise systems in an organization. They are almost impossible to defend against despite email security and employee training. Outside of the initial compromise methodology, it is especially hard for security teams to identify this new attack out of the gate until a threat research team uncovers and analyzes the campaign. In this case is a new variant of attacks typically used by a known state-sponsored hacking group. The worst part is that it uses capabilities that mimic real activity to further hide malicious intent. Even with current XDR and traditional SIEM tools, it is a big challenge for security teams to identify the campaign once the initial compromise occurs based on the various techniques used because slight changes in creating the variant often circumvents these tools detection capabilities. Customers need to invest more in behavioral based analytics solutions, that not baselines normal user and asset activity, but can self-learn what is normal and abnormal in order to better prioritize threat activity. Rule-based machine learning (ML) models cannot do this pro-actively and require a vendor update based on the discovered research. This does not provide immediate detection against these previously-unknown variants.”
This campaign highlights the fact that everyone needs to be trained to not get fooled by these phishing attacks. Here’s some tips to avoid being that person or company who gets pwned.
Like this:
Like Loading...
Related
This entry was posted on February 9, 2022 at 11:41 am and is filed under Commentary with tags Phishing. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
New Lazarus Campaign Targets Those In The Defence industry
Qualys Senior Engineer of Threat Research Akshat Pradhan has identified a new campaign from Lazarus hackers targeting the defense industry with fake Lockheed Martin job offers.
The Qualys Research Team recently identified a new Lazarus campaign using employment phishing lures targeting the defence sector. The identified variants target job applicants for Lockheed Martin Corporation, which is an American aerospace, arms, defence, information security, and technology corporation. This is thematically similar to other observed variants where Lazarus has posed as defence companies like Northrop Grumman and BAE Systems with job openings. We refer to this campaign as “LolZarus” due to the use of different lolbins in observed samples, some of which are the lolbin’s first recorded usage by a well-known adversary.
The campaign works by attacking hopeful job applicants in the defense industry by sending targeted phishing documents pretending to offer employment opportunities. The documents contain malicious macros which trigger shellcode to hijack control flow, retrieve decoy documents and create Scheduled tasks for persistence.
Saryu Nayyar, CEO and Founder, Gurucul had this to say:
“These types of phishing attacks are a perfect example of how threat actors easily compromise systems in an organization. They are almost impossible to defend against despite email security and employee training. Outside of the initial compromise methodology, it is especially hard for security teams to identify this new attack out of the gate until a threat research team uncovers and analyzes the campaign. In this case is a new variant of attacks typically used by a known state-sponsored hacking group. The worst part is that it uses capabilities that mimic real activity to further hide malicious intent. Even with current XDR and traditional SIEM tools, it is a big challenge for security teams to identify the campaign once the initial compromise occurs based on the various techniques used because slight changes in creating the variant often circumvents these tools detection capabilities. Customers need to invest more in behavioral based analytics solutions, that not baselines normal user and asset activity, but can self-learn what is normal and abnormal in order to better prioritize threat activity. Rule-based machine learning (ML) models cannot do this pro-actively and require a vendor update based on the discovered research. This does not provide immediate detection against these previously-unknown variants.”
This campaign highlights the fact that everyone needs to be trained to not get fooled by these phishing attacks. Here’s some tips to avoid being that person or company who gets pwned.
Share this:
Like this:
Related
This entry was posted on February 9, 2022 at 11:41 am and is filed under Commentary with tags Phishing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.