Lazarus Group targets Aerospace and Defense with new Comebacker variant

SUMMARY :

This analysis details a recent espionage campaign by the DPRK-nexus threat actor Lazarus Group targeting the aerospace and defense sectors. The campaign employs a new variant of the Comebacker backdoor, showcasing the actor's ongoing refinement of their malware arsenal. The attackers use highly specific lure documents, indicating a targeted spear phishing campaign. The malware's infection chain involves multiple stages, including custom decryption algorithms and encrypted C2 communications. The campaign's infrastructure remains active, suggesting potential ongoing operations. Organizations in the targeted sectors should remain vigilant against phishing attempts and strengthen their defenses against macro-based threats.

OPENCTI LABELS :

aerospace,dprk,defense,c2 communication,decryption,comebacker,north korea,backdoor,spear phishing


AI COMMENTARY :

1. The Lazarus Group, a DPRK-affiliated threat actor, has escalated its espionage efforts against the aerospace and defense industries by deploying a newly refined variant of the Comebacker backdoor. This campaign underscores North Korea’s persistent focus on stealing sensitive technical data and intellectual property to bolster its domestic programs. The attackers’ choice of high-value targets in the aerospace and defense sectors reflects a strategic aim to undermine national security capabilities and gain a competitive advantage in advanced systems development.

2. At the core of this operation lies a sophisticated spear phishing scheme. Adversaries craft highly specific lure documents that appear to originate from trusted partners within the industry. These macro-enabled files exploit users’ familiarity with contract negotiations and technical specifications to convince recipients to enable embedded scripts. Once activated, the macros initiate a multi-layered infection process that systematically unloads and executes the Comebacker backdoor.

3. The new Comebacker variant showcases Lazarus Group’s ongoing malware refinement. It incorporates custom decryption algorithms that dynamically decode payloads at runtime, effectively evading signature-based detection. The backdoor’s modular design enables the attackers to load additional components on demand, facilitating data exfiltration, system reconnaissance, and persistence within compromised environments. Subtle code changes further impede reverse engineering efforts by security researchers.

4. The infection chain unfolds across several stages. Initial execution of the macro stager triggers the retrieval of an encrypted payload from a remote server. A bespoke droplet then decrypts this payload using a hardcoded key and transitions control to the primary Comebacker implant. Throughout this process, the malware leverages obfuscation techniques such as string encoding and junk instruction insertion to frustrate analysis and sandbox evasion checks to detect virtual environments.

5. Command and control (C2) communications are conducted over encrypted channels to conceal the traffic’s true nature. The backdoor establishes rendezvous points with compromised infrastructure, utilizing protocols that mimic legitimate web requests. Periodic beaconing allows the attackers to issue commands, harvest stolen files, and maintain long-term access. The choice of servers frequently rotates through compromised hosts to dilute attribution efforts and complicate takedown attempts.

6. Evidence suggests that the campaign’s infrastructure remains active, posing an ongoing threat to organizations within the aerospace and defense supply chain. The Lazarus Group’s adaptive tactics and continued enhancements to the Comebacker backdoor highlight the importance of sustained vigilance. Security teams should monitor network traffic for anomalies in DNS resolution patterns and unexpected outbound connections to suspicious hosts.

7. To defend against macro-based threats and advanced backdoors, organizations must implement a multi-layered security approach. User education on the risks of enabling macros, combined with strict application control policies, can significantly reduce the attack surface. Deploying robust endpoint detection and response solutions that inspect process behavior and encrypted C2 traffic will help identify stealthy intrusions. Regular threat hunting exercises and collaboration with industry peers will further strengthen defenses against DPRK-aligned espionage campaigns.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Lazarus Group targets Aerospace and Defense with new Comebacker variant