Threat Research

Lazarus’ latest tactics: Deceptive development and ClickFix

GenDigital
Lazarus’ latest tactics: Deceptive development and ClickFix

A sophisticated attack impersonates an NVIDIA update, leveraging a mock interview to trick users into executing malicious commands that deploy credential theft and remote access tools linked to the Lazarus APT group. The multi-stage payload includes stealing browser and email credentials, installing persistent backdoors, and targeting cryptocurrency data. #Lazarus #DeceptiveDevelopment #MeshAgent

Keypoints

  • The attack masquerades as an NVIDIA-related update initiated through a fake hiring assessment challenge.
  • Users are manipulated into granting camera access and running a command that downloads and extracts a malicious archive.
  • A VBS script launches an obfuscated Python environment posing as a legitimate driver update process.
  • The Python script’s functionalities include stealing browser and email credentials, exfiltrating data, and installing persistent remote access tools.
  • MeshAgent is silently installed for persistent remote control, while additional components harvest cryptocurrency wallet data.
  • Persistence is maintained via a scheduled task disguised as ChromeUpdate.exe within the legitimate Chrome directory.
  • The campaign’s complexity and code similarities attribute it to the Lazarus group’s DeceptiveDevelopment operation.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Used to execute a VBS script that launches the Python payload (‘A VBS script launches a Python environment embedded within the archive’).
  • [T1105] Ingress Tool Transfer – The initial command downloads a malicious archive which is automatically extracted (‘A malicious archive is downloaded and automatically extracted’).
  • [T1083] File and Directory Discovery – The attack script accesses browser extensions and local cryptocurrency folders (‘Browser extensions and local folders related to cryptocurrencies are harvested’).
  • [T1005] Data from Local System – Credential theft tools extract browser and email credentials (‘WebBrowserPassView is downloaded, decrypted and executed to extract browser-related credentials’).
  • [T1071] Application Layer Protocol – Credentials and system information are exfiltrated to a command-and-control server (‘…are exfiltrated to the command-and-control (C2) server’).
  • [T1543] Create or Modify System Process – Persistence is achieved using a scheduled task disguised as ChromeUpdate.exe (‘Persistence is achieved through a scheduled task disguised as ChromeUpdate.exe’).
  • [T1219] Remote Access Software – MeshAgent is silently installed to provide persistent remote access (‘An instance of MeshAgent is silently installed, providing the attackers with persistent remote control’).

Indicators of Compromise

  • [URL] Malicious assessment lure – hxxps://assessdome.com/invite/7e462f3c/8002565804
  • [Domain] Command and control server – metakenproxy.com:81
  • [File Hash] Initial VBS script – 7013822c0a794712c5fe8f62c126e5992dca4a744882a039040569ae4ec1a868
  • [File Hash] Initial Python script – 03ad194456951695eb4d4ceb40d9e52aaadbc9a4f4b8b1d020077115103e5359
  • [File Hash] WebBrowserPassView executable – 36541fad68e79cdedb965b1afcdc45385646611aa72903ddbe9d4d064d7bffb9
  • [File Hash] MailPassView executable – bc7bd27e94e24a301edb3d3e7fad982225ac59430fc476bda4e1459faa1c1647
  • [File Hash] MeshAgent executable – 9757780860ec5637c412a8756f25c56f7d1d89358e447782164ba418def1c64e
  • [File Hash] ChromeUpdate.exe persistence binary – 00bef70cd031a830f2ee1ec4ce750947a9c8838995289ecbb253426cca53d046

Read more: https://www.gendigital.com/blog/insights/research/deceptive-nvidia-attack

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint