North Korea is Reusing Malware! What Does This Mean?

North Korea is Reusing Malware! What Does This Mean?

Among the hacking groups from North Korea, there is a group called Lazarus has plundered and pillaged the global internet, scamming and infecting digital devices around the world for espionage, profit, and sabotage. A loader that allows them to clandestinely run a diverse array of malware on targeted Macs with hardly a trace is one of their weapons. However, Lazarus is not the one who created this loader. Instead, they seem to find this tool online and adjust it for enhancing its attack capabilities. According to the research, Lazarus Group started to use the loader in 2016 and 2018. This tool has been improved continuously and eventually becomes more mature. The victims usually get trapped through phishing or another scam. Once they install the loader, the attack’s server will be beaconed out to. The server responds by sending encrypted software for the loader to decrypt and run.

LIFARS’ Cyber Resiliency Team can provide your organization with a real phishing attack simulation. Based on the results collected and our in-depth analysis of the company email system (encryption, protocols, filters, etc.), we will help optimize the system to increase the overall security posture to help keep cybercriminals from entering your network.

According to the former National Security Agency analyst Patrick Wardle, The loader he examined is especially appealing as it is designed to run whatever “payload” or malware. Instead of installing it on the hard drive, it can directly receive “payload” or malware in a computer’s random access memory (RAM). Since the malware attack without a file, it doesn’t leave records of having ever been installed on the system. In another word, this makes it much harder to detect an intrusion or investigate an incident later. The researcher introduced that this is a payload-agnostic “first stage” attack tool that can be used to run whatever type of “second stage” attack on a target’s system. However, this feature is not utilized by Lazarus.



Contact LIFARS Immediately for

Phishing Attack Simulations