[MART] - Daily Diary #575 - Lazarus APT Targets Security Engineers

ctas-mat at appgate.com ctas-mat at appgate.com
Wed Aug 17 21:08:08 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

08/17/2022 - Diary entry #575:

Lazarus is a North Korean state-sponsored Advanced Persistent Threat (APT) group, active since at least 2009, and covered in multiple of our Daily Diaries. In November last year, we covered Lazarus' campaign targeting security researchers with a trojanized version of the popular IDA Pro reverse engineering software.

This month, a new campaign targeting Security Engineers was discovered and submitted on VirusTotal from Brazil. Disguised as a job description for Coinbase, a popular cryptocurrency exchange platform, the threat actors signed a MacOS executable containing the fake Coinbase job description PDF along with other two files. The malware then tries to establish a connection with its C2 to perform additional activities.

As an APT, Lazarus employs complex and creative ways to gain initial access. In May this year, a similar sample was also observed in Singapore disguised as a job description. Targeting Security Engineers is a risky strategy, but if successful can give the threat actors elevated privileges inside organizations. Therefore, it is important to take precautions on downloading or opening unsolicited documents, and take security measures for every employee’s access, regardless if it’s a security-related position.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220817/4d642687/attachment.htm>

More information about the MART mailing list