The Lazarus Group is a North Korean state-sponsored threat actor that operates under the Reconnaissance General Bureau. It has been active since at least 2009 and employs multiple sub-groups like Bluenoroff and Kimsuky to conduct cyber espionage, generate revenue, and destabilize geopolitical adversaries.
Their attacks are motivated by financial gain and target industries such as the financial sector, cryptocurrency, and gambling with the funds that are stolen directly supporting North Korea’s attempts to develop weapons.
The Lazarus Group has evolved its Contagious Interview campaign by integrating the ClickFix social engineering technique. By targeting software developers on platforms like LinkedIn they pose as recruiters from reputable companies.
After initial contact, victims are directed to a fake video interview platform. During the interview process, they encounter a ClickFix-style prompt instructing them to copy and paste malicious code to enable camera access.
Malware is ultimately installed on the device of the victim as a result of this action that enables the attackers to gain unauthorized access and potentially steal sensitive information.
The investigation begins by creating a Validin project to track findings related to Lazarus infrastructure where known indicators, such as the domain “willointerview[.]com,” are added to the project.
Analysis of this domain reveals key attributes like its reputation score, DNS records, and associated IP address (23.254.244[.]74) that are found to belong to Hostwinds, which is a common provider used by Lazarus.
By exploring host connections and other relationships within the Validin project, security researchers can identify patterns and potential links to other malicious infrastructure used in Lazarus campaigns.
The researcher at ValidIn identified a unique HOST-META header on a legitimate Willo website. By pivoting on this header, they discovered 136 domains with similar naming conventions and shared the same header.
These domains often related to cryptocurrency, blockchain, and recruitment that were flagged as Lazarus-related, then they filtered the results to identify domains hosted on Cloudfront CDN and those with specific registration patterns.
To verify malicious activity, they queried suspected domains using a specific URI that confirms their involvement in the campaign. By analyzing the timeline of domain activity, the researcher observed that malicious domains emerged in mid-December 2024.
By filtering for META-IP, additional Autonomous Systems (AS numbers) associated with the campaign have been identified that provide insights into the hosting preferences of the threat actor.
With bulk searches on known malicious IPv4 addresses, investigators can uncover other domains hosted on the same infrastructure that potentially reveal previously undetected malicious activity.
Utilizing lookalike domain searches with carefully crafted regular expressions based on observed keyword patterns and domain naming conventions also allows for the identification of a broader range of malicious domains linked to the Lazarus group.
The combined approach improves the gathering of threat intelligence and gives security researchers the ability to proactively identify and mitigate potential threats.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Threat Actor Offers Cookie-Stealing Google Extension on Dark Forum")
