The notorious Lazarus advanced persistent threat (APT) organization, which Qi’anxin internally tracks as APT-Q-1, has been seen using the ClickFix technique to penetrate Windows 11 and macOS systems in a sophisticated progression of social engineering attacks.
Known for high-profile incidents like the 2014 Sony Pictures hack, Lazarus has shifted from intelligence theft to financial asset extraction since 2014, targeting entities such as cryptocurrency exchanges and financial institutions.
This latest campaign leverages fake job offers disseminated via phony social media accounts to lure victims into phishing traps, ultimately implanting malware like BeaverTail and InvisibleFerret.
Recent analyses from Qi’anxin Threat Intelligence Center reveals a batch script that masquerades as an Nvidia software update, facilitating the deployment of these payloads across platforms.
Malware Deployment
The attack commences with victims encountering a deceptive job interview website that prompts them to resolve a fabricated camera configuration fault.
This leads to the execution of ClickFix-1.bat (MD5: f9e18687a38e968811b93351e9fca089), which downloads a malicious ZIP archive, nvidiaRelease.zip (MD5: a4e58b91531d199f268c5ea02c7bf456), from hxxps://driverservices.store/visiodrive/nvidiaRelease.zip.
Upon decompression, the archive executes run.vbs (MD5: 3ef7717c8bcb26396fc50ed92e812d13), which assesses the system’s build number to confirm Windows 11 (BuildNumber ≥ 22000).
If matched, it launches the backdoored drvUpdate.exe (MD5: 6175efd148a89ca61b6835c77acc7a8d), while simultaneously checking for a Node.js environment.
Absent Node.js triggers shell.bat (MD5: 983a8a6f4d0a8c887536f5787a6b01a2) to download and install it, followed by npm commands to run main.js (MD5: b52e105bd040bda6639e958f7d9e3090), identified as the BeaverTail stealer.
BeaverTail, a cross-platform infostealer favored by Lazarus, communicates with command-and-control (C2) servers such as hxxp://45.159.248.110, and proceeds to fetch additional payloads including the Python-based InvisibleFerret Trojan from paths like hxxp://45.159.248.110/client/xyz2 (MD5: 17eb90ac00007154a6418a91bf8da9c7). Persistence is achieved via registry modifications, embedding commands in %USERPROFILE%.pyppythonw.exe to ensure long-term access.
For macOS variants, scripts like arm64-fixer (MD5: cdf296d7404bd6193514284f021bfa54) mimic ARM architecture fixes, deploying similar BeaverTail instances through drivfixer.sh and LaunchAgents plist files for persistence, with C2 at hxxp://45.89.53.54.
The drvUpdate.exe backdoor, connecting to 103.231.75.101:8888, supports multiple functions including command execution via cmd.exe (instruction 0x6), file read/write operations (0x8 and 0x18), and device information exfiltration (0x4), such as usernames, hostnames, OS versions, IP addresses, and MAC details.
It authenticates C2 connectivity through challenge-response mechanisms, enabling attackers to issue sleep commands (0x9) or manipulate files with sub-commands for opening, writing, and closing operations.
Traceability links these artifacts to Lazarus due to script similarities with prior reports and the consistent use of BeaverTail and InvisibleFerret, extending the campaign’s reach to both Windows and macOS ecosystems.
Broader Implications
This ClickFix campaign underscores Lazarus’s adept exploitation of psychological vulnerabilities, bypassing technical defenses by inducing victims to self-execute malware under the guise of routine fixes.
Organizations should enforce strict verification of job-related communications and avoid executing unsolicited scripts or updates from untrusted sources.
Qi’anxin’s suite, including the Threat Intelligence Platform (TIP) and Tianyan Advanced Threat Detection System, provides robust detection against such threats.
Backing up critical data, applying timely patches, and utilizing file analysis platforms for unknown executables are essential defenses.
As APT groups like Lazarus refine social engineering with cross-platform tactics, vigilance against deceptive online interactions remains paramount to thwart intelligence and financial theft operations.
Indicators of Compromise (IOC)
| Category | IOC Details |
|---|---|
| MD5 (Windows) | f9e18687a38e968811b93351e9fca089, a4e58b91531d199f268c5ea02c7bf456, 3ef7717c8bcb26396fc50ed92e812d13, 983a8a6f4d0a8c887536f5787a6b01a2, 6175efd148a89ca61b6835c77acc7a8d, 8c274285c5f8914cdbb090d72d1720d3, b73fd8f21a2ed093f8caf0cf4b41aa4d |
| MD5 (macOS) | cdf296d7404bd6193514284f021bfa54, cbd183f5e5ed7d295d83e29b62b15431, a009cd35850929199ef60e71bce86830, 13400d5c844b7ab9aacc81822b1e7f02 |
| MD5 (BeaverTail) | b52e105bd040bda6639e958f7d9e3090, 15e48aef2e26f2367e5002e6c3148e1f |
| C&C | driverservices.store, block-digital.online, hxxp://45.159.248.110, hxxp://45.89.53.54, 103.231.75.101:8888 |
| URL | hxxps://driverservices.store/visiodrive/nvidiaRelease.zip, hxxps://driverservices.store/visiodrive/nvidiaReleasenew.zip, hxxps://driverservices.store/visiodrive/arm64-fixer, hxxps://driverservices.store/visiodrive/arm64-fixernew, hxxps://block-digital.online/drivers/cam_driver |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
