Lazarus group conducting cyber espionage against chemical sector, Symantec detects

Symantec, a division of Broadcom Software, disclosed that the North Korea-linked advanced persistent threat (APT) group, Lazarus, has been conducting an espionage campaign targeting organizations operating within the chemical sector. The campaign appears to be a continuation of Lazarus activity dubbed ‘Operation Dream Job,’ initially observed in August 2020. Symantec tracks this sub-set of Lazarus activity under the name Pompilus.

“In January 2022, Symantec detected attack activity on the networks of a number of organizations based in South Korea. The organizations were mainly in the chemical sector, with some being in the information technology (IT) sector,” Symantec Threat Hunter Team wrote in a company blog post. “However, it is likely the IT targets were used as a means to gain access to chemical sector organizations. There is sufficient evidence to suggest that this recent activity is a continuation of Operation Dream Job. That evidence includes file hashes, file names, and tools that were observed in previous Dream Job campaigns,” the post added.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has observed that facilities with dangerous chemicals have long been attractive targets for terrorists, who aspire to conduct sensational attacks that could cause several deaths and injuries. Threats include physical attacks, theft or diversion of chemicals, cyberattacks, unauthorized drone activity, and facility personnel’s malicious activities.

The risk of an unwanted outcome resulting from an incident or event involving dangerous chemicals has three components: the threat of a dangerous chemical being weaponized, the facility’s vulnerability to an attack, and the consequences of an incident if the threat were to occur. The agency added that mitigation of these components lowers the specific risks that on-site chemicals present.

Operation Dream Job activity involves Lazarus using fake job offers to lure victims into clicking on malicious links or opening malicious attachments that eventually lead to the installation of malware used for espionage, Symantec said. Earlier, Dream Job campaigns targeted individuals in the defense, government, and engineering sectors in activity observed in August 2020 and July 2021, it added.

Symantec detected that a typical attack begins when a malicious HTM file is received, likely as a malicious link in an email or downloaded from the web. The HTM file is copied to a DLL file called ‘scskapplink.dll’ and injected into the legitimate system management software INISAFE Web EX Client.

The scskapplink.dll file is typically a signed Trojanized tool with malicious exports added. The attackers have been observed using the following signatures: DOCTER USA, INC and ‘A’ MEDICAL OFFICE, PLLC, Symantec said. Next, scskapplink.dll downloads and executes an additional payload from a command-and-control (C&C) server with the URL parameter key/values ‘prd_fld=racket,’ it added.

The step kicks off a chain of shellcode loaders that download and execute arbitrary commands from the attackers and additional malware, which is usually executed from malicious exports added to Trojanized tools such as the Tukaani project LZMA Utils library (XZ Utils), Symantec disclosed.

Symantec revealed that the attackers move laterally on the network using Windows Management Instrumentation (WMI) and inject into MagicLine by DreamSecurity on other machines. “In some instances, the attackers were spotted dumping credentials from the registry, installing a BAT file in a likely effort to gain persistence, and using a scheduled task configured to run as a specific user,” the researchers added.

Symantec also observed that the attackers were observed deploying post-compromise tools, including a tool used to take screenshots of web pages viewed on the compromised machine at set intervals (SiteShoter). “They were also seen using an IP logging tool (IP Logger), a protocol used to turn computers on remotely (WakeOnLAN), a file and directory copier (FastCopy), and the File Transfer Protocol (FTP) executed under the MagicLine process, it added.

Last November, Proofpoint researchers revealed that a veteran hacker group from the Democratic People’s Republic of Korea (DPRK) has resurfaced using malware that could exploit for information gathering. The TA406 hacker group has been known previously by other names and engages in espionage, cybercrime, and sextortion. Analysts from Proofpoint have tracked TA406 hacker campaigns targeting customers since 2018, but these attacks remained low in volume until the beginning of January last year.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.