The hashing function accepts two parameters: the hash of the DLL and the hash of the function we are looking for in that DLL. The analysis provided in the blog is mainly based on the "Lockheed_Martin_JobOpportunities.docx" document but we also provide brief analysis for the second document (Salary_Lockheed_Martin_job_opportunities_confidential.doc) at the end of this blog. Some of the indicators that shows this attack operated recently are the domains used by the threat actor.īoth of the documents use the same attack theme and have some common things like embedded macros but the full attack chain seems to be totally different. The compilation time for both of these documents is, but we have enough indicators that confirm that they have been used in a campaign around late December 2021 and early 2022. Salary_Lockheed_Martin_job_opportunities_confidential.doc.The two macro-embedded documents seem to be luring the targets about new job opportunities at Lockheed Martin: We have reported the rogue GitHub account for harmful content. In this blog post, we provide technical analysis of this latest attack including a clever use of Windows Update to execute the malicious payload and GitHub as a command and control server. We identified two decoy documents masquerading as American global security and aerospace giant Lockheed Martin. In this campaign, Lazarus conducted spear phishing attacks weaponized with malicious documents that use their known job opportunities theme. The Malwarebytes Threat Intelligence team is actively monitoring its activities and was able to spot a new campaign on Jan 18th 2022. The group is responsible for many high profile attacks in the past and has gained worldwide attention. Lazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009. This blog was authored by Ankur Saini and Hossein Jazi
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |