The North Korea-linked APT group Lazarus has recently launched cyberattacks against two entities involved in COVID-19 research.

A new attacks that were carried out by the APT group.The attacks aimed at a Ministry of Health and a pharmaceutical company involved in the development of the COVID-19 vaccine.

The systems at the pharmaceutical company were targeted with the BookCode malware, while in the attack against a Ministry of Health the APT group used the wAgent malware. Lazarus APT used the wAgent malware in attacks against cryptocurrency exchanges and businesses.

The backdoors allow the operators to take full control over the infected systems. The experts were not able to determine the initial infection vector in both attacks, they speculate the attackers launched spear-phishing attacks against their victims or used watering hole attacks.

The wAgent backdoor allows the attackers to executed various shell commands to gather information from the infected device. Experts noticed that Lazarus is using the wAgent backdoor to deliver an additional payload that has a persistence mechanism.

The BookCode backdoor was used by Lazarus hackers to gather system and network information from the targeted system, The malware extract infected host information, including password hashes, from the registry SAM dump.

The wAgent malware used against the health ministry has the same infection scheme as the malware that the Lazarus group used previously in attacks on cryptocurrency businesses.”

The attacks discovered by Kaspersky confirm the interest of the APT group in gathering intelligence on COVID-19-related activities.