It has long been thought that Russia is a no-go area for North Korean hacking group Lazarus. Russia is one of North Korea’s few friends, along with China.
Now, however, Check Point researchers have detected what they suspect is a Lazarus attack on Russian targets. “For the first time,” it announces in a blog post today, “we were observing what seemed to be a North Korean coordinated attack against Russian entities.”
Check Point believes the attacks emanate from the Bluenoroff division of Lazarus. Bluenoroff is believed to be primarily tasked with ‘monetization’, while a separate division, named Andariel, is tasked with targeting South Korean entities.
Lazarus (probably Bluenoroff) is believed to be behind some of the most notorious attacks of the last few years, including the Sony Pictures Entertainment, and the $81 million Bangladesh bank theft.
Key to Check Point’s belief that this is a Lazarus campaign is the final payload — a versatile Lazarus backdoor that has been named KEYMARBLE by the US-CERT. A DHS report from August 2019 describes KEYMARBLE as a RAT that uses “a customized XOR cryptographic algorithm… to secure its data transfers and command-and-control (C2) sessions. It is designed to accept instructions from the remote server.”
The infection flow used in this campaign comprises three primary steps. The first is an attached ZIP file containing a benign decoy PDF and a Word document containing malicious macros. In one example, the benign document contains an NDA for StarForce Technologies, a Russia-based company that provides copy-protection solutions. The malicious Word macros download a VBS script from a Drobox URL. The VBS script executes and downloads a CAB file from a compromised server, extracts the payload and executes it.
At some point during the campaign, however, the attackers decided to skip the second stage. They modified the malicious Word macros to download and execute the backdoor directly.
“A closer look at the compromised server shows an unconvincing website for the ‘Information Department’ of the ‘South Oil Company’,” writes Check Point. “The server is located in Iraq and hosted by EarthLink Ltd. Communications&Internet Services.” The CAB file is disguised as a JPEG image.
The real surprise in this campaign is that North Korea should now treat Russia as a target — and there will be questions over whether this is a false flag attack from some other party. Check Point is, however, confident. “While attributing attacks to a certain threat group or another is problematic,” it states, “the analysis… reveals intrinsic connections to the tactics, techniques and tools used by the North Korean APT group — Lazarus.”
If the attribution is right, the interesting geo-political question is why should North Korea turn against a ‘friendly’ nation? It could, of course, be as simple as revenge. Just one year ago, cyber-attacks against the South Korean PyeongChang Winter Olympic Games were rapidly attributed to North Korea. One month later, Kaspersky announced that the malware used contained sophisticated false flags. One theory is that it originated from Russia, another is that it was China.
Other false flag options could include a criminal gang trying to disguise itself, or any one of numerous western nations trying to sow discord between North Kora and Russia. Or it could simply be that for some reason, Russia is now on the Lazarus list of acceptable targets.
Related: False Flags and Mis-Direction in Hacker Attribution
Related: U.S. Charges North Korean Over Lazarus Group Hacks
Related: Was North Korea Wrongly Accused of Ransomware Attacks?
Related: North Korean Attacks on Banks Attributed to ‘APT38’ Group
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
Tags: 
