Cybersecurity experts at ENKI have uncovered a sophisticated new variant of the Comebacker backdoor linked to the North Korean Lazarus Group, targeting aerospace and defense sectors through spear phishing. The attack uses malicious Word documents with multi-stage infection chains employing advanced encryption like ChaCha20 and AES-128-CBC to evade detection. #Comebacker #LazarusGroup #aerospace #defense #spearphishing
Keypoints
- The campaign employs malicious Word documents themed around aerospace and defense organizations to deliver malware.
- The infection involves a three-stage encrypted loader chain that operates entirely in memory to avoid detection.
- The malware uses encryption protocols like ChaCha20 and AES-128-CBC for payload concealment and C2 communication.
- ENKIโs analysis links the activity to Lazarus Group, indicating a focus on industrial and defense espionage.
- The campaignโs evolution shows a shift from targeting developers to high-value aerospace and defense entities.