Lazarus Group Deploys Sophisticated Infostealer Malware
Technical Description
Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1, used in limited targeted attacks against developers. This highlights the evolving nature of their tactics and the continuous need for enhanced cybersecurity measures.
This ongoing activity highlights the importance of vigilance against social engineering and the need for robust cybersecurity defenses to mitigate such sophisticated threats.
Evasion Techniques:
The infostealer malware uses several layers of encoding and evasion strategies. The malicious Python code first decodes itself with Base64, decompresses the data using ZLIB, and then executes the final payload via Python’s exec() function. This multi-stage obfuscation ensures that the true malware code remains hidden until multiple layers are decoded and decompressed. Such techniques make it difficult for conventional security solutions to detect and analyze the malware, as each layer of obfuscation must be dismantled to reveal the core threat.
System Fingerprinting and Data Collection:
Once DE is obfuscated, the malware begins collecting detailed system information, including the operating system type, device names, active user profiles and geolocation data. This reconnaissance enables attackers to tailor their operations based on the specific environment they have infiltrated. Additionally, the malware monitors clipboard activity and logs keystrokes, capturing sensitive data such as passwords, personal messages and confidential information. To maintain persistent access, the malware also deploys a backdoor, allowing attackers to remotely control infected machines, execute arbitrary commands and exfiltrate data as needed.
Social Engineering Tactics:
The Lazarus Group uses advanced social engineering strategies to trick victims into executing harmful code. One such approach, called “Contagious Interview,” involves fake job offers posted on platforms like LinkedIn, GitHub and Discord. Posing as recruiters, the attackers invite targets to participate in online interviews. During these sessions, victims are guided to run scripts or install NPM packages containing the infostealer malware and a backdoor, enabling system compromise.
Another method, “ClickFix,” exploits deceptive error messages that prompt victims to click a button to “resolve” an issue. By doing so, they unknowingly run malicious scripts that further compromise their systems. These tactics demonstrate the group’s reliance on psychological manipulation to bypass security defenses.
Malware Structure:
The malware functions in a modular structure, with several components working in unison to achieve its goals. The main script, script.py, coordinates the execution of different tasks and maintains communication with the command and control (C2) server. The sysinfo module collects system information and establishes a connection to the C2 infrastructure. Meanwhile, the n2 module manages data, verifies Python registry keys, and installs required dependencies.
The pay module carries out key malicious operations, including system fingerprinting, keylogging, and collecting clipboard data. It also establishes an SSH connection, allowing remote command execution. This enables the attackers to retain control over the compromised system, exfiltrate data and leave minimal forensic traces.
Conclusion
The infostealer malware campaign by the Lazarus Group presents a significant threat, utilizing complex evasion techniques and misleading social engineering approaches to target software developers and IT experts. Its layered obfuscation and advanced data-extraction features make it a powerful cyber risk. Organizations need to remain vigilant and implement robust security measures to combat these threats. An effective defense plan should incorporate endpoint detection and response (EDR) tools, regular security evaluations and thorough employee training on cybersecurity best practices to minimize the chances of a breach.
Impact
The infostealer malware operation by the Lazarus Group could result in major data breaches, financial setbacks and damage to a company’s reputation. By focusing on software developers and IT experts, the attackers acquire access to confidential data and vital systems, potentially exposing entire networks. The deployment of advanced evasion strategies and social engineering methods heightens the challenge of identifying and preventing the threat.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Persistence, Execution, Defense Evasion, Discovery, Credential Access, Collection, Initial Access |
| Technique Name | Event Triggered Execution, Boot or Logon Autostart Execution, User Execution, Command and Scripting Interpreter, Indicator Removal, Process Injection, Obfuscated Files or Information, Hide Artifacts, System Information Discovery, System Owner/User Discovery, System Network Configuration Discovery, Credentials from Password Stores, Input Capture, Valid Accounts |
| Sub Technique Name | Accessibility Features, Registry Run Keys / Startup Folder, Malicious File, Python, Windows Command Shell, File Deletion, Dynamic-link Library Injection, Software Packing, Hidden Files and Directories, Wi-Fi Discovery, Credentials from Web Browsers, Keylogging, Local Accounts |
| Attack Type | Vulnerability |
| Targeted Applications | Windows |
| Region Impacted | Global |
| Industry Impacted | All |
| IOC’s | IP 95.164.7.171, 91.92.120.132, 5.253.43.122 |
| CVE | NA |
Recommended Actions
- Enforce multi-factor authentication (MFA) across all accounts.
- Frequently update and apply patches to systems to fix known security flaws.
- Utilize endpoint detection and response (EDR) tools.
- Perform routine security assessments and network monitoring.
References
links