Lazarus Group Infostealer Malwares Attacking Developers In New Campaign

The notorious Lazarus Group, a North Korean Advanced Persistent Threat (APT) group, has been linked to a sophisticated campaign targeting software developers.

This campaign involves the use of infostealer malware, designed to steal sensitive information from developers’ systems.

The attack leverages social engineering tactics, including fake job interviews and compromised NPM packages, to deceive developers into executing malicious scripts.

The malware campaign involves a multi-stage modular approach, using techniques such as Base64 encoding and zlib compression to obfuscate the malicious code.

Threat Intelligence Researcher, Rayssa Cardoso detected a key component of the attack is a Python script that uses a lambda function to decode and execute the malware:-

_ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]));exec((_)

This script reverses the input string, decodes it using Base64, decompresses the result with zlib, and then executes the reconstructed Python code using the exec() function.

Campaign Structure

The malware structure includes several files and folders:-

script.py: The main file containing instructions to call other script functions.
sysinfo folder: Contains files for detecting the victim’s operating system and communicating with the Command and Control (C2) server on port 1224.
n2 folder: Includes files for reading registry keys, storing collected information, installing required libraries, and collecting system and geolocation data.

Lazarus Group uses social engineering tactics like the “ClickFix” method, where users are tricked into executing malicious scripts by clicking on seemingly legitimate buttons.