Nasreddine Bencherchali
edf0ff5cc8
new: Lazarus APT DLL Sideloading Activity new: File Download From IP Based URL Via CertOC.EXE new: File Download From IP URL Via Curl.EXE update: Remote Thread Creation By Uncommon Source Image update: Remote Thread Creation In Uncommon Target Image update: ADSI-Cache File Creation By Uncommon Tool update: Files With System Process Name In Unsuspected Locations update: PowerShell Module File Created By Non-PowerShell Process update: PSScriptPolicyTest Creation By Uncommon Process update: Suspicious LNK Double Extension File Created update: PowerShell Profile Modification update: Alternate PowerShell Hosts Pipe update: File Download via CertOC.EXE update: Suspicious File Download From IP Via Curl.EXE update: Arbitrary File Download Via GfxDownloadWrapper.EXE update: Potentially Suspicious Office Document Executed From Trusted Location --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
1.2 KiB
1.2 KiB
Lazarus APT
Last Updated: 18/10/2023
Summary
ESET researchers have uncovered a Lazarus attack against an aerospace company in Spain, where the group deployed several tools, most notably a publicly undocumented backdoor that ESET is naming LightlessCan. Lazarus operators obtained initial access to the company’s network last year after a successful spearphishing campaign, masquerading as a recruiter for Meta – the company behind Facebook, Instagram, and WhatsApp. Four different execution chains were identified, delivering three types of payloads via DLL side-loading.
You can find more information on the threat in the following articles:
- Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
- Lazarus hackers breach aerospace firm with new LightlessCan malware