The campaign consists of dropping PDF ﬁle documents and Microsoft word documents with embedded macros.
The main infection ﬂow consists of the following three main steps.
The attackers lured the users with multiple images to “Enable Content” button so that the document can trigger the malicious macro code.
Attackers used an excel as well to drop the malicious macro code to infect the users.
An interesting part of the download stage in one of the documents, is the unexplained usage of a Dropbox “Host” ﬁeld in the HTTP request header. Upon further analysis, researchers found that Dropbox was the original source for the second stage of the infection, during this campaign.
The ﬁnal payload in this campaign is downloaded from a compromised server in the form of a CAB ﬁle, which is later expanded into the KEYMARBLE backdoor. It is important to note the CAB ﬁle is disguised as a JPEG image on the compromised host (http[:]//37.238.135[.]70/img/anan.jpg).
All of the malicious documents downloaded KEYMARBLE, compressed inside a CAB ﬁle, which successfully evaded detection and reduced detection from ﬁve vendors of Virus Total to just 2 of them.
Successful Lazarus Attack
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)