Hackers from the North Korean-linked Lazarus Group have reportedly targeted US defence contractors as tensions between the US and North Korea increase.
Researchers at Palo Alto Networks said that it is 'clear' that the Lazarus Group, which also hacked Sony in 2014, is behind the attacks; tools, techniques and procedures are shared between both operations.
"This re-use of macro source code, XOR keys used within the macro to decode implant payloads, and the functional overlap in the payloads the macros write to disk demonstrates the continued use of this tool set by this threat group," Palo Alto says in its blog post.
"In addition to tool reuse, infrastructure overlaps also exist. URLs used for hosting the malicious documents and IPv4 addresses used for command and control overlap with infrastructure previously used by the group."
Lazarus is widely accepted to be controlled by the North Korean government; it targets opposing regimes and has recently become involved in attacking private companies and financial institutions.
In this most recent campaign, the attackers have been using infected Microsoft Office files, distributed through phishing emails and using the same macros as observed before. They are likely hosted on compromised servers, writes Palo Alto.
One difference between this and earlier threats using the same payload is that these documents are written in English, rather than Korean. They describe job openings at various defence contractors, such as Sikorskys Mission Equipment.
When a computer is infected, the hacker(s) would be able to execute commands on the system. Although a basic capability, it would provide a foothold to go on to more dangerous grounds, such as installing additional tools or attempting to spread the infection to other machines in the network.
Palo Alto believes that the threat actors behind the attack will continue to use the same techniques in future campaigns. µ
Computing's DevOps Summit returns on 19 September. Attendance is free to qualifying IT leaders and other senior IT professionals, but places will go fast, so secure yours now.
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all