{"id":1290,"date":"2022-01-31T00:00:00","date_gmt":"2022-01-31T07:00:00","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/?p=1290"},"modified":"2022-01-30T22:11:46","modified_gmt":"2022-01-31T05:11:46","slug":"how-north-korea-is-targeting-us-defense-corporations","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/2022\/01\/31\/how-north-korea-is-targeting-us-defense-corporations\/","title":{"rendered":"How North Korea is targeting US Defense Corporations"},"content":{"rendered":"\n

Recently, the Malwarebytes Threat Intelligence Team discovered a new spear phishing and malware attack from a notorious hacker group, Lazarus Group, a North Korean state-sponsored APT, or Advanced Persistent Threat.[1]<\/sup> In a nutshell, an APT is an adversary with many resources and a high level of experience, which it leverages to infiltrate the IT system of an organization to extract information or undermine their mission. They typically hang around in a system for an extended period, adapting to any defenses.[2]<\/sup> Lazarus is believed to be behind the 2017 WannaCry Ransomware attack; a 2014 cyberattack on Sony Pictures thought to be related to the airing of \u2018The Interview\u2019<\/em> [3]<\/sup>, a Sony Pictures film which North Korea was not too pleased about, and various other cybercrimes.[4]<\/sup><\/p>\n\n\n\n

What is Spear Phishing?<\/h3>\n\n\n\n

Spear phishing is a form of phishing attack, where users are tricked into believing a website or electronic communication is legitimate and click on a link to give over their personal details to an adversary, or inadvertently install malware on their machine. Spear phishing follows these same basic principles, with the key difference being that it is targeted towards a specific individual or organization. By posing as a trustworthy source and using personal information, even vigilant users can fall for this attack, leading to serious data loss, malware, or espionage, if a component of an organization\u2019s IT infrastructure is compromised.[5]<\/sup><\/p>\n\n\n\n

\"\"
The difference between phishing and spear phishing.[6]<\/sup><\/figcaption><\/figure>\n\n\n\n

What exactly did Lazarus do?<\/h3>\n\n\n\n

Lazarus targeted the US defense industry (a natural target for a government-run cybercrime group) by advertising job opportunities at Lockheed Martin, an American aerospace, arms, and defense corporation. The job opportunities come in the form of a Word document with a malicious macro embedded.<\/p>\n\n\n\n

\"\"
The cover page of the malicious document. [1]<\/sup><\/figcaption><\/figure>\n\n\n\n

When the macro runs, it hijacks control flow (the flow of code execution) in a novel way and executes its own malicious code to create a DLL (Dynamic-link Library), effectively an extension to an executable file but is not executable by itself. This DLL is initialized by a function in the macro and serves to inject explorer.exe (Windows Explorer) with another DLL, which in turn exploits Explorer to check for and execute yet another DLL that is run using the Windows Update Client. This clever trick is how it bypasses security detection, since Windows Update is assumed to be a trusted process. <\/p>\n\n\n\n

At this point in the attack, the malware utilizes GitHub to download a .PNG file which disguises yet another DLL, which retrieves the username, computer name, and list of all running processes on the computer, and commits them to the same GitHub repository.[1]<\/sup><\/p>\n\n\n\n

\"\"
Detailed flow of execution of the malware. [1]<\/sup><\/figcaption><\/figure>\n\n\n\n

Impacts<\/h3>\n\n\n\n

Unfortunately, the Malwarebytes Team were only able to get their hands on this DLL and were not able to determine any more information about the potential impacts of this malware.[1]<\/sup> However, considering the history if this APT, it is safe to say that there was something more going on, possibly stealing data or sabotaging operations. Their use of three new techniques, namely the way they hijacked control flow, the use of Windows Update to bypass detection, and using GitHub as a remote server, demonstrates their ability and threat they pose.<\/p>\n\n\n\n

In concluding…<\/h3>\n\n\n\n

I hope this has shed light on this new attack, and that you learned something today. If you are interested in the way Lazarus hijacked control flow, or if you are looking for any further details, I\u2019d recommend you read the Malwarebytes blogpost ([1]). <\/p>\n\n\n\n

Finally, be careful about any emails sent to you! You never know what might be hiding beneath the surface.<\/p>\n\n\n\n

References<\/h4>\n\n\n\n

[1] https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/<\/a><\/p>\n\n\n\n

[2] https:\/\/csrc.nist.gov\/glossary\/term\/advanced_persistent_threat<\/a><\/p>\n\n\n\n

[3] https:\/\/resources.infosecinstitute.com\/topic\/cyber-attack-sony-pictures-much-data-breach\/<\/a><\/p>\n\n\n\n

[4] https:\/\/www.justice.gov\/opa\/pr\/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and<\/a><\/p>\n\n\n\n

[5] https:\/\/www.kaspersky.com\/resource-center\/definitions\/spear-phishing<\/a><\/p>\n\n\n\n

[6] https:\/\/asset.unitybank.com.au\/images\/phishing-vs-spear-phishing.png<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Recently, the Malwarebytes Threat Intelligence Team discovered a new spear phishing and malware attack from a notorious hacker group, Lazarus Group, a North Korean state-sponsored APT, or Advanced Persistent Threat.[1] In a nutshell, an APT is an adversary with many resources and a high level of experience, which it leverages to infiltrate the IT system … <\/p>\n

Continue reading “How North Korea is targeting US Defense Corporations”<\/span><\/a><\/p>\n","protected":false},"author":400,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[15],"tags":[],"class_list":["post-1290","post","type-post","status-publish","format-standard","hentry","category-cpsc-329-602-w22","entry"],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Ben Schmidt","author_link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/author\/ben-schmidt\/"},"_links":{"self":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/1290","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/users\/400"}],"replies":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/comments?post=1290"}],"version-history":[{"count":2,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/1290\/revisions"}],"predecessor-version":[{"id":1297,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/1290\/revisions\/1297"}],"wp:attachment":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/media?parent=1290"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/categories?post=1290"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/tags?post=1290"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}