Caleb Boma | December 24th, 2020

Intelligence is certainly valuable and North Korean, government-connected threat actors have been trying to obtain it.

Two different incidents at a pharmaceutical company and government ministry have been detailed by security researchers. The incidents show the interest of the threat group, Lazarus, in COVID-19 related information.

As a group that is usually motivated financially, acquiring COVID-19 intelligence is out of the ordinary. It goes to show how threat actors are strategic in planning and will make decisions based on what brings them the most gain.

The pharmaceutical company experienced a breach in September and the governmental health ministry in October.

The Lazarus group deployed “BookCodes” malware on the pharmaceutical company with involvement in the development and distribution of the COVID-19 vaccine. BookCodes was used to install remote administration tools (RATs) on their networks.

In the health ministry incident, Lazarus took over windows servers to install the malware “wAgent” which is used to receive payloads from Lazarus’ servers.

The connection between these two attacks comes from the evidence in naming files, debugging messages, and the persistent usage of posing as Security Support Providers.

SpearTip personnel has seen the usage of coronavirus as a social engineering tactic in many different instances this year. The North Korean threat actors are using it as a phishing lure and are suspected of targeting pharmaceutical companies from different countries.

As these situations develop, our engineers are always keeping a watchful eye out. They work around the clock, 24/7 to keep your environment safe and defend against threat actors.

If your organization or business experiences a breach, call the Security Operations Center (SOC) at 833-997-7327 and we will assist you.