Lazarus Group Recruitment: Threat Hunters vs Head Hunters
Lazarus Group Recruitment: Threat Hunters vs Head Hunters
Published on 27 April 2021
Contents
Introduction At the end of September 2020, Positive Technologies Expert Security Center (PT Expert Security Center, PT ESC) was involved in the investigation of an incident in one of the largest pharmaceutical companies. After starting to analyze the tactics, techniques, and procedures (TTPs) of the attackers, the investigation team found similarities with the Lazarus Group attacks previously described in detail by cybersecurity experts in the reports Operation: Dream Job and Operation (노스 스타) North Star A Job Offer That s Too Good to be True? .
No Python Interpreter? This Simple RAT Installs Its Own Copy
For a while, I m keeping an eye on malicious Python code targeting Windows environments[1][2]. If Python looks more and more popular, attackers are facing a major issue: Python is not installed by default on most Windows operating systems. Python is often available on developers, system/network administrators, or security teams. Like the proverb says: You are never better served than by yourself , I found a simple Python backdoor that installs its own copy of the Python interpreter!
The backdoor is installed via a VBS script (SHA256:eda050c767cb65150b1f4c8a4307c15baf5aebf211367191aaf7ede3aee823d5) has a VT score of 11/58[3]. I don t know how it is delivered and executed on the target computer but, it is light and easy to read. Here is a full copy: