Andariel, a subdivision of the Lazarus Group APT associated with North Korea, is behind a recent attack campaign that uses malicious Word documents and files that mimic PDFs, Kaspersky researchers report.
This group has previously targeted South Korean businesses and government agencies; in this attack, its victims also appear to be South Korean entities.
Researchers say they observed a suspicious Word document with a Korean file name and decoy with an unusual infection scheme and an unfamiliar payload. Further analysis revealed a connection to Andariel; researchers noticed code overlaps between the second stage payload in this campaign and previous malware from the Andariel group. There were other characteristics connecting this malware to Andariel, researchers report.
"Each threat actor has characteristics when they interactively work with a backdoor shell in the post-exploitation phase," they wrote in a report on the findings. "The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity."
Kaspersky says Andariel has been spreading the third stage payload using malicious Word documents since the middle of 2020.
Details on the attack campaign can be found here.