Quick Takeaways
-
Targeting Drone Manufacturing: North Korea’s Lazarus Group is focused on stealing proprietary information from European drone manufacturers to enhance its domestic drone capabilities.
-
Specific Campaign Details: ESET researchers identified attacks on at least three organizations in Central and Southeastern Europe, all related to military drone production, tying into North Korea’s interest in UAV technology.
-
Malware Utilization: The group’s primary weapon, ScoringMathTea, is a remote access Trojan enabling full control of infected systems, showing little evolution since its introduction but highlighting operational simplicity and stability.
- Strategic Cyber Tactics: Lazarus employs decoy job-themed documents to infiltrate systems while leveraging compromised open-source software to evade detection, underscoring the importance of cybersecurity awareness in sensitive sectors.
[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘Lazarus Group Hunts European Drone Manufacturing Data’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘
North Korea’s relentless Lazarus Group is at it again, this time targeting drone manufacturers in Europe to steal proprietary information and manufacturing know-how for Pyongyang.
ESET researchers tracking the campaign have identified at least three organizations Lazarus has struck so far, all located in Central and Southeastern Europe. The targeted organizations manufacture a range of military equipment, including unmanned aerial vehicles (UAVs, aka drones), some of which Ukraine is using in its war against Russia.
Aligned with North Korean Interests
The attacks align with North Korea’s intensifying efforts to scale up its domestic drone program using proprietary data stolen from elsewhere. “These entities are involved in the production of types of materiel that North Korea also manufactures domestically, and for which it might be hoping to perfect its own designs and processes,” ESET disclosed in a report this week. “The interest in UAV-related know-how is notable, as it echoes recent media reports indicating that Pyongyang is investing heavily in domestic drone manufacturing capabilities.”
ESET has assessed the drone data theft campaign to be the latest iteration of “Operation DreamJob,” where Lazarus actors have been using job-themed decoy documents to lure victims into installing malware on their systems. The threat actor has used the same ploy in cyberespionage attacks on the chemical sector, information technology companies, financial services, software developers, and others.
The drone campaign’s primary payload is ScoringMathTea, a remote access Trojan (RAT) that gives Lazarus actors attackers interactive control over infected machines. The threat actor has been using the post-compromise RAT since at least 2022, when it first surfaced on VirusTotal masquerading as an Airbus-themed job lure. ScoringMathTea supports some 40 commands, including those that allow Lazarus actors to manipulate files and processes, conduct system reconnaissance, and download and execute additional malicious payloads on compromised systems.
A Stable, Sophisticated Weapon
ScoringMathTea has been Lazarus’s primary payload in Operation DreamJob campaigns, according to ESET. It surfaced in attacks on an Indian technology company in January 2023, a Polish defense firm in March 2023, a British industrial automation company in October 2023, and an Italian aerospace company in last month.
Surprisingly, ScoringMathTea itself has remained largely unchanged since it was first spotted, says Peter Kalnai, senior malware researcher at ESET, in comments to Dark Reading. “ScoringMathTea RAT shows no readily apparent changes, with its set of features remaining almost identical,” since the beginning.
That suggests that the threat actor favors operational simplicity and stability over sophistication, something that Lazarus has demonstrated with some of its other RATs, such as LightlessCan, he says. “Moreover, ScoringMathTea is likely not the final stage in the execution chain, as its capabilities are extensible through the loading of additional DLLs, which effectively function as plug-ins.”
The most significant change is Lazarus group’s use of new libraries designed for DLL proxying and the use of compromised open source projects on GitHub to hide their malware. Kalnai says ESET found no evidence that Lazarus actors had compromised any GitHub accounts to Trojanize projects. Instead, the attackers selected a few less popular open source projects, such as plug-ins for Notepad++ and WinMerge, modified the code locally, and deployed them to target systems in an attempt to bypass standard detection mechanisms.
Campaigns like these highlight why threat awareness among employees is key, Kalnai says. Another aspect is general policies regarding cyberattacks in sensitive sectors. “Currently, even when governing bodies issue security advisories, private companies are under no obligation to review or comply with the recommendations,” he says. “Furthermore, the severity of a security incident needs to rise to a certain threshold before a company is obligated to report it to authorities. Otherwise, the company does not even have to share the results of the incident response process.”
‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of
[/gpt3]
Expand Your Tech Knowledge
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Explore past and present digital transformations on the Internet Archive.
CyberRisk-V1
