Lazarus APT group targets Russian organizations with KEYMARBLE backdoor trojan

• Researchers recently observed a new malware campaign targeting Russian organization with specially crafted malicious Word documents.
• The Lazarus threat actor group’s new campaign targeting Russian entities uses Office documents in the initial infection stage and then drops the KEYMARBLE backdoor Trojan.

Researchers recently observed a new malware campaign targeting Russian organization with specially crafted malicious Word documents. The malware campaign was linked to the North Korean Lazarus threat group also known as HIDDEN COBRA.

KEYMARBLE Backdoor

Researchers from Checkpoint noted that the Lazarus threat actor group’s new campaign targeting Russian entities uses Office documents in the initial infection stage and then drops the KEYMARBLE backdoor Trojan.

KEYMARBLE is used in the campaign by Lazarus group for accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screenshots, and exfiltrating data.

Main infection chain

Checkpoint researchers observed the main infection chain which consists of three stages,

• The first infection stage includes a ZIP file containing two documents: a decoy PDF document and a malicious Word document with macros.
• The malicious Word macro downloads a VBS script from a Dropbox URL, followed by the VBS script execution.
• The VBS script downloads a CAB file from the dropzone sever, extracts the embedded EXE file using Windows’ “expand.exe” utility, and finally executes the KEYMARBLE backdoor.

Researchers noted that initially the infection chain consisted of three stages, but later Lazarus group skipped the second stage of the infection chain and modified the malicious Word macros to directly download and execute the KEYMARBLE Backdoor instead of downloading the VBS script.

Decoy PDF document

The first stage of the infection chain uses malicious Word documents delivered as ZIP files, along with a decoy PDF document named NDA_USA.pdf which is a StarForce Technologies NDA agreement.

This makes the ZIP files look more legitimate thereby tricking potential Russian victims into opening both the files including the Word document which is embedded with the malicious macros.

Final Payload

The final payload in this campaign is downloaded from a compromised server in the form of a CAB file disguised as a JPEG image, which is later expanded into the KEYMARBLE backdoor. This also results in lower antivirus detection rate from five vendors to mere two vendors.

“A closer look at the compromised server shows an unconvincing website for the ‘Information Department’ of the ‘South Oil Company’. The server is located in Iraq and hosted by EarthLink Ltd. Communications&Internet Services,” researchers noted in a blog.