Lazarus Group Infostealer Malwares Attacking Developers In New Campaign

The notorious Lazarus Group, a North Korean Advanced Persistent Threat (APT) group, has been linked to a sophisticated campaign targeting software developers.

This campaign involves the use of infostealer malware, designed to steal sensitive information from developers’ systems.

The attack leverages social engineering tactics, including fake job interviews and compromised NPM packages, to deceive developers into executing malicious scripts.

The malware campaign involves a multi-stage modular approach, using techniques such as Base64 encoding and zlib compression to obfuscate the malicious code.

Threat Intelligence Researcher, Rayssa Cardoso detected a key component of the attack is a Python script that uses a lambda function to decode and execute the malware:-

_ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]));exec((_)

This script reverses the input string, decodes it using Base64, decompresses the result with zlib, and then executes the reconstructed Python code using the exec() function.

Campaign Structure

The malware structure includes several files and folders:-

script.py: The main file containing instructions to call other script functions.
sysinfo folder: Contains files for detecting the victim’s operating system and communicating with the Command and Control (C2) server on port 1224.
n2 folder: Includes files for reading registry keys, storing collected information, installing required libraries, and collecting system and geolocation data.

Lazarus Group uses social engineering tactics like the “ClickFix” method, where users are tricked into executing malicious scripts by clicking on seemingly legitimate buttons.

ClickFix Campaign (Source – Medium)

Another tactic involves fake recruiter profiles on platforms like LinkedIn and GitHub, inviting developers to participate in online interviews.

Obfuscated Code (Source – Medium)

During these interviews, candidates are asked to execute malicious code, leading to the installation of malware.

Contagious Interview (Source – Medium)

The campaign involves several types of malware, including:-

BeaverTail (JavaScript): Acts as a loader.
InvisibleFerret (Python): Functions as a backdoor and infostealer.
Tsunami: A backdoor, RAT, and infostealer used in the Operation99 campaign.

Contagious Interview Cmpaign Chain (Source – Medium)

The use of sophisticated social engineering tactics and obfuscated malware shows the need for strict vigilance and robust cybersecurity measures.

Indicators of Compromise (IoC)

5.253.43[.]122:1224
41.208.185[.]235
95.164.7[.]171:8637
http[:]//ip-api[.]com/json

MITRE ATT\&CK TTPs

T1027 – Obfuscated Files or Information
T1027.002 – Obfuscated Files or Information: Software Packing
T1204.002 – User Execution: Malicious File
T1564.001 – Hide Artifacts: Hidden Files and Directories
T1082 – System Information Discovery

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.