Security researchers: Here's how the Lazarus hackers start their attacks

Here's how North Korea's Lazarus hackers use LinkedIn to reach targets and Office macros to compromise hosts.
Written by Liam Tung, Contributing Writer

The Lazarus hacking group is one of the top cybersecurity threats from North Korea, recently catching the attention of the US government for massive cryptocurrency heists. 

Now researchers at NCCGroup have pieced together a few of the tools and techniques Lazarus hackers have been using recently, including social engineering on LinkedIn, messaging US defense contractor targets on WhatsApp, and installing the malicious downloader LCPDot. 

NCCGroup's findings build on what's already known about Lazarus hackers. The group, and its sub groups, are known to have used LinkedIn for tricking targets into installing malicious files such as Word documents with hidden macros. 

SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attempts

In February, researchers at Qualys found the group impersonating defense contractor Lockheed Martin, using its name as a lure for job opportunities in laced Word documents. The documents contained malicious macros to install malware and relied on Scheduled Tasks to persist on a system.         

Lazarus historically has used LinkedIn as a preferred social network to contact professionals with job offers. In 2020, researchers at F-Secure found the group attempting to recruit a system administrator with a phishing document sent to the target's LinkedIn account regarding a blockchain company seeking a new sysadmin. 

In April, US Treasury linked Lazarus to a $600 million heist in March from the blockchain network behind the play-to-earn game Axie Finity. 

That same month, the FBI, the Cybersecurity and Infrastructure Security Agency, and Treasury warned that Lazarus was currently focusing on exchanges in the blockchain and cryptocurrency industry, using spear-phishing campaigns and malware to steal cryptocurrency. 

NCCGroup found that the recent use of fake Lockheed Martin profiles to share job ads with targets relied on documents hosted on a domain that attempted to mimic that of a US-based recruitment site for government and defence vacancies.

To bypass Microsoft's recent efforts to restrict the use of macros in Office documents, the website hosted a ZIP file containing the malicious document that was used to connect with Lazarus' command and control server. 

"In order to subvert security controls in the recent changes made by Microsoft for Office macros, the website hosted a ZIP file which contained the malicious document," NCCGroup noted. 

Microsoft in April introduced new Office default behavior that blocks VBA macros obtained from the internet in documents on devices running Windows. One security expert called it a "game changer" because of the prevalence of macro malware. 

SEE: The Emotet botnet is back, and it has some new tricks to spread malware

NCCGroup also obtained a sample of Lazarus' variant of LCPDot, a downloader recently analysed by Japan CERT, which attributed it to Lazarus. 

After registering a compromised host with the command and control server, the downloader receives another payload, decrypts it, and then loads it into memory. 

NCCGroup lists several domains that would indicate an organization has been compromised by hackers.

Google in March detailed a wide-reaching campaign by Lazarus-related groups targeting hundreds of people across the media and tech sectors with job offers in emails impersonating recruiters from Disney, Google and Oracle. Blockchain analysis firm Chainalysis estimated North Korean hackers stole $400 million in cryptocurrency in 2021.

Editorial standards