Researchers observe cyber-attacks on Russian firms by North Korean APT group

Analysis of the tactics and tools used by the hackers suggests they were initiated by North Korean APT group Lazarus

In an unusual 'predator-prey relationship' that has never been observed before, North Korea-based hacking groups have been targeting companies based in Russia.

That is according to security specialists from Check Point Software, who arrived at the conclusion after carefully examining several malicious Office documents specially crafted by the hackers for Russian targets.

Analysis of the tactics, tools and techniques used by the hackers in these cyber-attacks indicates that they were initiated by North Korean advanced persistent threat (APT) group Lazarus, Check Point claims.

According to the researchers, these malicious documents were part of the initial stages of an infection chain that would eventually result in the installation of a revised variant of a Lazarus backdoor, named KEYMARBLE by US-CERT.

Lazarus, also known as Hidden Cobra, is one of the best known cybercrime APT groups in the world. It is believed to be a North Korean sponsored hacking group, which has held responsible for some of the largest security breaches of the past ten years. These include "Operation Troy", the cyber-espionage campaign that took place from 2009 to 2012 and targeted the South Korean government.

In 2014, the same group breached the networks of Sony Pictures using more sophisticated techniques. More recently, the group is alleged to have targeted a range of other organisations, including, Banco del Austro in Ecuador, Tien Phong Bank in Vietnam and other banks in Poland, Mexico, Bangladesh and Taiwan, and stolen millions of dollars.

Security experts believe that Lazarus is divided into at least two subgroups: the first subgroup, named Andariel, focuses on infiltration and spying cyber-attacks against the South Korean government and South Korean organisations, whereas the second subgroup, Bluenoroff, specialises in financial and global cyber-attacks.

According to Check Point, an examination of malicious Office documents created for the Russian victims revealed two different infection flows.

In the main infection flow, three main steps were observed. The first step comprises of a .Zip file containing a malicious Word document with macros, and an unthreatening lure PDF document. In the second step, the malicious macro was found to download a VBS script from a Dropbox URL, followed by the execution of the VBS script.

The third step involves the downloading of a CAB file from the dropzone server, followed by extraction and execution of the embedded .Exe file (backdoor).

The researchers also revealed that all the documents used in the campaign against Russian entities included similar metadata and a Korean code page.

According to the researchers, attackers also used multiple lure images to tempt the victims "to click the 'Enable Content' button and trigger the malicious macro code".