Abstract
The Lazarus group, North Korea's state-run hacking operation, recently targeted two organisations in an attempt to steal research relating to Covid-19 vaccines, according to an analysis by Kaspersky.
The two attacks used different tactics, techniques and procedures (TTPs), but Kaspersky said it found enough in common – including similarities in the post-exploitation process – to convince it that the same attacker was behind both incidents. And the malware used points directly to the Lazarus group.
Kaspersky doesn't name the targets in its report, but says that a government ministry of health was attacked using the wAgent malware in October 2020, with two servers being compromised. The malware opened a reverse shell, allowing the attackers access to the machines.
The second attack, in September 2020, used the Bookcode malware against a pharmaceutical firm developing and distributing a Covid-19 vaccine. This malware also has the capability to open a backdoor. Kaspersky couldn't identify the infection vector in this case. In the past, Lazarus has used spear-phishing to deliver malware, although ESET has also previously detected supply-chain chain attacks in which the malware was injected into updates for legitimate software used by targets.
“These two incidents reveal the Lazarus Group's interest in intelligence related to Covid-19,” Kaspersky said in its report. “While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well.”
The TTPs that helped Kaspersky identify the attackers as Lazarus included: extracting infected host information, including password hashes from the registry sam dump; using Windows commands in order to check network connectivity; and using the WakeMeOnLan tool to scan hosts in the same network.
In its blog post, Kaspersky concluded: “We assess with high confidence that the activity analysed in this post is attributable to the Lazarus group. In our previous research, we already attributed the malware clusters used in both incidents described here to the Lazarus group.”
The Kaspersky report is here: http://bit.ly/3hKQ37d.
Meanwhile, the US Department of Justice (DOJ) has seized two domains that have previously been used to impersonate the real websites of two pharmaceutical companies involved in the development of Covid-19 vaccines – Moderna and Regeneron. The lookalike domains – mordernatx[.]com and regeneronmedicals[.]com – faithfully copied the real sites. However, they also used the sites to run scams, host malware and perform phishing attacks. For example, visitors to the ‘Contact us’ pages on both sites were asked to fill in copious amounts of personal data or contact the companies via a phone number which turned out to be a VoIP number connecting to the criminals behind the scams.
Finally, the US Federal Trade Commission (FTC) says that more than 275,000 US residents have reported financial losses amounting to more than $211m due to Covid-related scams since the start of 2020. There's more information here: http://tabsoft.co/2LmMZSG.