131.txt

GoldDigger Hidden in Investment Pitch Deck APT-C-26 Lazarus Attack Campaign Analysis Report
In the second half of 2021, 360 Advanced Threat Research Institute discovered multiple attack campaigns from APT-C-26 (Lazarus). Since July last year, we captured multiple decoy documents titled "Venture Labo Investment Pitch Deck(Protected).docx" containing introductions about a Tokyo-based venture capital company Venture Labo Investment Co.,Ltd. The document utilizes remote template injection (CVE-2017-0199) to load remote templates from external links upon opening, tricking users into enabling macros. The malicious code then retrieves data from remote addresses and injects it into legitimate processes for backdoor operations. The campaign aimed at cryptocurrency theft shows overlaps with BlueNoroff (a Lazarus subgroup) in payloads, attack procedures, and IOCs, confirming it as BlueNoroff's activity. The attack chain involves decoy investment documents that trigger remote template downloads containing malicious macros. These macros load item1.xml from the document's customXml directory, decrypt data, and inject it into legitimate processes based on system architecture. The processes subsequently download follow-up payloads and communicate with C&C servers. The disclosed samples align with BlueNoroff's modus operandi - using remote template documents to deliver macros that load customXml/item1.xml contents, decrypt data for process injection, and conduct C&C communication via POST requests. Overlapping IOCs including domains venturelabo[.]co and azureword[.]com further confirm attribution. BlueNoroff, suspected as the perpetrator behind the 2016 Bangladesh Central Bank heist, has shifted focus from traditional banks to cryptocurrency targets since the rise of digital currencies. As a Lazarus subgroup with complete attack chains and multiple offensive capabilities, this organization warrants significant attention.