In an unusual move, the Lazarus hacking group associated with the North Korean government has recently started targeting organizations from Russia. The group’s primary targets until now have been organizations from countries with which North Korea has geopolitical tensions, such as South Korea, Japan and the United States.
Researchers from Check Point Software Technologies found malicious Word and Excel documents that had been uploaded to the VirusTotal scanner in January from Russia. The files contained malicious macros and images with Russian text, yet had a Korean code page.
The text was meant to convince users to enable the macros, which triggered an infection chain that downloaded a malicious VBS script from a Dropbox account and executed it. That script then downloaded a CAB archive that contained the final payload, a remote access tool (RAT) dubbed KEYMARBLE.
The US-CERT issued an alert about KEYMARBLE in August and attributed it to Kidden Cobra, the name the organization uses for the Lazarus Group.
Once installed, the malware program connects to a command-and-control server and waits for instructions. Attackers can use it to collect information from the compromised systems or to perform other actions.
“It is interesting to note, that by encapsulating the backdoor in a CAB file, the attackers were able to lower the detection rate of this sample from five vendors to a mere two vendors, who detected this file as malicious on VirusTotal,” the Check Point researchers said in their report.
The timing of this campaign coincides with another operation attributed to Lazarus that was reported by Korean security firm ESTsecurity at the end of January. However, that operation targeted South Korean companies and used different tactics and techniques.
“It is long believed among the security community that Lazarus is divided into at least two subdivisions: the first named Andariel which focuses primarily on attacking the South Korean government and organizations, and the second, Bluenoroff, whose main focus is monetization and global espionage campaigns,” the Check Point researchers said. “The differences between the two campaigns, which were conducted at the same time, provides wind once again to the theory that multiple divisions are at work here.”
The malicious documents used in this campaign were delivered via spear-phishing emails inside ZIP attachments, sometimes together with a decoy PDF document masquerading as a non-disclosure agreement.
Decryption Tool Available for GandCrab 5.1 Ransomware
Researchers from antivirus vendor Bitdefender in collaboration with the Romanian Police, Europol and other law enforcement agencies have found a way to decrypt files affected by version 5.1 of the GandCrab ransomware.
A decryptor for GandCrab already existed on NoMoreRansom.org, a website set up by the Dutch National High Tech Crime Unit and Europol to host ransomware recovery tools, but it only worked for versions up to 5.0.3 of the malicious program. The tool has now been updated to support version 5.1 as well.
“While this is the third time we have defeated GandCrab encryption in the past year, our celebration will be short-lived,” said Bogdan Botezatu, a senior e-threat analyst at Bitdefender, in a blog post. “We’ll be back to work tomorrow, as GandCrab operators will no doubt change tactics and techniques.”
Until that happens, GandCrab victims who have kept the affected files can now recover them by using the instructions provided with the tool. This is a good example of why it’s always best to save files encrypted by ransomware in case a solution might later become available.
GandCrab’s developers share their creation with other cybercriminals under a malware-as-a-service model, where those who use it agree to pay a cut of the ransoms. This means that the ransomware program is used by many groups and is distributed in a variety of ways.
Other infection methods seen in the past involved compromising computers through Remote Desktop Protocol (RDP) connections that used weak credentials. More recently, attackers exploited vulnerabilities in remote IT support software to deliver the ransomware.