An unusually-high number of new malware variants linked to North Korean hackers may indicate a phase of increasing attacks against foreign targets, cybersecurity researchers told NK News on Tuesday.
Malware analysts at Intezer identified ten new samples attributed to the Lazarus Group within the past two weeks, a number that is “not common at all” and may be aiming to exploit common fears related to COVID-19, Vice President of Research Ari Eitan said.
“Those samples were uploaded from countries such as the United States and Canada, which may imply that NK tries to exfiltrate data and understand better what is going on in those countries from the inside,” Eitan explained. “You don’t get to see a lot of new Lazarus samples every day. As a nation-state actor, they choose their victims very carefully.”
The wave of malware variants may also be driven by the growing tensions on the Korean peninsula, analysts said.
“Aggressive cyber action is possible, but would be driven by the broader situation,” Ben Read, a senior manager of analysis at Mandiant Threat Intelligence, told NK News.
While the number of new variants discovered in such a short period is remarkable, the targets and basic tools used by Lazarus and other threat actors linked to North Korea has remained comparably stable, the experts said.
“Their malware continues to evolve in ongoing attempts to evade detection, but the major TTPs (Tactics, Techniques, and Procedures) of stealing credentials and spear-phishing remain consistent,” Read explained.
“Their targets are consistent with their historical average, including the U.S. defense industrial base, South Korean NGOs and technology companies and cryptocurrency users.”
Eitan predicted that the Lazarus Group’s strategy is to reuse the existing codebase to produce more tools and samples, changing only small parts to avoid being caught by classic anti-virus software using signatures to identify attacks.
“I believe we will continue to see more NK samples, targeting governments/organizations, with minimum evolvements of their tools,” Eitan said.
Just last week, Lazarus Group was caught using a malicious Microsoft Office document pretending to be a job description for Walt Disney Company in a spear phishing campaign that aimed to take control of targeted computers.
According to Chinese security vendor QiAnXin, the group had hacked into web servers that hosted the website of a real estate development firm in order to control devices compromised by the attack.
Edited by Kelly Kasulis and Oliver Hotham
An unusually-high number of new malware variants linked to North Korean hackers may indicate a phase of increasing attacks against foreign targets, cybersecurity researchers told NK News on Tuesday.
Malware analysts at Intezer identified ten new samples attributed to the Lazarus Group within the past two weeks, a number that is “not common at all” and may be aiming to exploit common fears related to COVID-19, Vice President of Research Ari Eitan said.
Nils Weisensee is Director of News Operations at the Korea Risk Group and covers cyber security for NK News. Prior to that he worked as head of operations at the Choson Exchange NGO and as a reporter for DAPD and the Associated Press.
