Taking advantage of its well-known “job opportunities” method, the group created fake Lockeed Martin documents

BIGSTOCK/Copyright: Bavorndej

A new spear phishing campaign, which exploits Windows Update to weaponize malicious documents masking as job opportunities for aerospace giant Lockheed Martin, was discovered last week by the Malwarebytes Threat Intelligence team.

The team attributes this new campaign to the prolific threat group Lazarus, which is believed to be backed by the North Korean state, and estimates that the fake documents have been used between late December 2021 and early 2022.

Lazarus, also known as Hidden Cobra, Zinc, APT38, and Whois Hacking Team, has been around since at least 2009. It has been attributed with largescale ransomware, cryptocurreency and espionage campaigns, most notably the 2017 WannaCry attack, the 2014 Sony breach and various malicious activities against pharma companies since the start of the Covid-19 pandemic. In 2019, the US Department of the Treasury imposed sanctions on the group.

In this new campaign. when the victim clicks on the fake “Lockheed Martin” document, it triggers a chain of malicious activities. Exploiting fake job opportunities is a well-known tactic of Lazarus, previously documented by At&T and Clearsky Cyber Security.

“The group keeps updating its toolset to evade security mechanisms,” conclude the Malwarebytes researchers. “Though they have used their old job theme method, they employed several new techniques to bypass detections.”

Earlier this month, Chainanalysis reported that during 2021 North Korean cybercriminals extracted nearly $400 million in digital assets. The company belives that many of the attacks were carried out by Lazarus and its affiliates.