求职陷阱：Lazarus组织以日本瑞穗銀行等招聘信息为诱饵的攻击活动分析

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – Initial access via spearphishing email attachments that lure victims to open the VHD file. “phishing emails with an attachment to entice victims to click and open the VHD file”
• [T1036] Masquerading – File name tricks and icon camouflage to hide executable extension. “Using a lot of spaces in the file name to hide the .exe suffix; using a PDF icon to masquerade.”
• [T1059.005] VBScript – Lazarus commonly uses VBScript/VBA scripts for payloads. “two VB/VBA files; analysis shows Lazarus commonly uses vbs scripts.”
• [T1105] Ingress Tool Transfer – The loader uses curl to fetch payloads and creates pipes for reading. “using curl.exe to obtain subsequent payloads, creating pipes to read data”
• [T1055] DLL Loading/Injection – The decrypted DLL is loaded into memory with LoadLibraryW and an exported function is invoked. “loads the decrypted dll into memory, and calls the export function”
• [T1027] Obfuscated/Encrypted Files and Information – The loaded DLL decrypts using RC4 with a hard-coded key. “RC4 algorithm key is hard-coded in the file”
• [T1497] Virtualization/Sandbox Evasion – The malware checks for antivirus processes and adjusts behavior accordingly. “If specific processes exist, a global variable is set to 1”
• [T1562.001] Impair Defenses – If BitDefender or Windows Defender is present, the malware delays and uses rundll32 to invoke exports. “delay 10 seconds, then create rundll32 to call its export function”
• [T1059.005] VBScript (Additional) – The analysis also references vbs-based scripting used in C2-related files. “two VBScript files linked to C2 data requests”