Similar tools and IoCs detected in both campaigns serve as feasible evidence to link them. Symantec threat hunters have recently revealed the ongoing cyber espionage campaign targeting South Korea’s chemical industry and IT sector, which seems to be a continuation of the infamous malware campaign dubbed Operation Dream Job that started in 2020. Hard on the heels of the initial attack, Lazarus hackers were reported to make subsequent attempts to abuse Windows Update and GitHub to bypass detections weaponizing malicious macros. At the turn of 2022, the Lazarus group was spotted in a spear-phishing attack leveraging Windows Update and GitHub C&C server to spread malware. The state-sponsored North Korea-linked APT has been in the spotlight since at least 2009, involved in high-profile attacks, including cyber espionage campaigns. Lazarus Group’s Latest Kill Chain Attack Analysis The current campaign started in early 2022 and is still ongoing, sharing the same toolset and techniques as its preceding “sister” campaigns. The spikes in Operation Dream Job activity were noticed in August 2020 and July 2021, with the previous campaigns targeting the government, defense, and engineering sectors. The launch of the campaign dates back to the Summer of 2020. Symantec researchers labeled this branch of Lazarus activity Pompilus. Lazarus activity dubbed Operation Dream Job entails exploiting phony job opportunities to trick victims into following harmful links or clicking on infected files, resulting in the deployment of espionage malware. View Detections Join Threat Bounty Operation Dream Job Are you a threat hunter working on Sigma- or Yara-based malware detections? Join our Threat Bounty program to share your rules via the Threat Detection Marketplace repository and get community support with tons of other benefits, including making this into a considerable stream of income. Possible Lazarus Group Persistence by Created Scheduled Tasks Targets Chemical Sector (via process_creation) – the detection hunts out the Lazarus group activity marked by adversaries’ attempts at ensuring their persistence.įollow the updates of detection content related to Lazarus APT in the Threat Detection Marketplace repository of the SOC Prime Platform here. Suspicious Lazarus APT Execution by Creation of System Service (via process_creation) – this rule detects the Lazarus APT group activity related to system service creation on the victim’s system Possible Lazarus Group Execution by Injecting into System Management Software INISAFE Web EX Client (via process_creation) – identifies the trails left by Lazarus hackers by injecting Dll files into INISAFE Web EX Client Possible Lazarus Group Execution to Take Screenshots(SiteShoter) of Web Page (via process_creation) – spots Lazarus activity associated with using malicious. Possible Lazarus Group Activity by Detection of Associated Files (via file_event) – this rule reveals Lazarus activity associated with relevant malicious files Suspicious Lazarus APT Persistence by Adding of Scheduled Tasks (via security) – roots out Lazarus APT group presence related to scheduled tasks creation on the victim’s system Utilize the following detection content to scan your system for malicious findings related to Lazarus APT’s recent attacks: SOC Prime released a batch of Sigma rules aimed to detect Lazarus APT activity, crafted by our seasoned Threat Bounty developers Osman Demir and Nattatorn Chuensangarun, who are always on the lookout for new threats. Researchers believe that the latest campaign is a part of Lazarus’ Operation Dream Job plans, detected in August 2020. A notorious APT group, Lazarus, sponsored by North Korea’s government, expands its attack surface, targeting entities in the chemical sector along with IT organizations, mostly in South Korea.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |