Gang Background
Lazarus is an APT group suspected to have a Northeast Asian background, and its Qi'anxin internal tracking number is APT-Q-1. The group gained widespread attention with its 2014 attack on Sony Pictures, with its activity dating back to 2007. Initially, Lazarus primarily targeted government agencies to steal sensitive intelligence, but since 2014, it has also begun attacking global financial institutions, cryptocurrency exchanges, and other targets, stealing financial assets from victims. Lazarus has repeatedly used fake social media accounts, disguised as job opportunities, to launch phishing attacks targeting individuals in specific industries.
Overview of the Incident
ClickFix is a social engineering attack method that has emerged in recent years. The attacker shows the victim a non-existent fault and tricks the victim into "fixing" the fault according to the instructions provided by the attacker. In fact, the "repair" command actively run by the victim is exactly the disguised malicious code.
Lazarus incorporates ClickFix into phishing attacks using fake job postings as bait The attackers use this method to attract victims to interview websites set up by fake job opportunities. The website guides the victims to prepare for the interview. When the victims follow the instructions, the website will prompt the victims that their camera configuration does not meet the requirements or there is a fault, and provide a repair solution. The repair command appears to be downloading Nvidia. The real purpose of updating related software is to implant malware. Some recent reports from abroad[1, 2] documented this phishing process.
Recently, Qi'anxin Threat Intelligence Center discovered a bat script related to the Lazarus ClickFix attack campaign, which downloads a fake Nvidia Software package [3]. The malware package further deploys the Node.js environment and executes BeaverTail , a malware tool commonly used by the Lazarus group. For Windows 11 systems, the attacker will also run a backdoor drvUpdate.exe with command execution, reading and writing specified files. According to the association, this attack activity also affects macOS System user.
Detailed Analysis
The sample-related information is as follows:
| - | - | - |
|---|---|---|
| MD5 | File Name | illustrate |
| f9e18687a38e968811b93351e9fca089 | ClickFix-1.bat | Download malicious compressed files |
| a4e58b91531d199f268c5ea02c7bf456 | nvidiaRelease.zip | Compressed files containing malware |
| 3ef7717c8bcb26396fc50ed92e812d13 | run.vbs | Malicious scripts |
| 983a8a6f4d0a8c887536f5787a6b01a2 | shell.bat | Malicious scripts |
| b52e105bd040bda6639e958f7d9e3090 | main.js | BeaverTail Stealing software |
| 6175efd148a89ca61b6835c77acc7a8d | drvUpdate.exe | Backdoor targeting Windows 11 |
Attack Chain
After clicking and running ClickFix-1.bat , it downloads a malicious compressed package from hxxps://driverservices.store/visiodrive/nvidiaRelease.zip , decompresses the package, and executes the run.vbs script contained in it.
the downloaded compressed package nvidiaRelease.zip are as follows.
Run.vbs checks the operating system 's Build Number Is the version no less than 22000 (i.e., Windows 11 )? If so, the backdoor drvUpdate.exe file in the compressed package is executed. The specific function of this file is described later. Then Run.vbs checks the Node.js version to determine whether a Node.js environment exists. If so, it directly executes shell.bat ; otherwise, it runs shell.bat as an administrator.
Shell.bat downloads and installs the Node.js runtime environment if Node.js does not exist .
Run npm install and npm start command in the directory where the shell.bat file is located.
Finally, persistence is established through the registry. The command added is "\"%USERPROFILE%\.pyp\pythonw.exe\" \"%USERPROFILE%\.n2\pay\"". This path is where Lazarus will download the Python Trojan In visibleFerret Common save paths.
Shell.bat executes the npm command, according to the package.json in the same directory Configuration information, will run main.js.
Main.js is the cross-operating system stealing software BeaverTail commonly used by Lazarus , The C2 server is hxxp://45.159.248.110. BeaverTail It also downloads and deploys the Python Trojan InvisibleFerret from the C2 server.
| - | - | - |
|---|---|---|
| MD5 | Download Link | Save Location |
| 17eb90ac00007154a6418a91bf8da9c7 | hxxp://45.159.248.110/client/xyz2 | [home_dir]/.npl |
| 5e698d6f14e10616b0dbb1496e574a91 | hxxp://45.159.248.110/payload/xyz2 | [home_dir]/.n2/pay |
| d9fb02481d1df9f93b7d8e84dc7e097f | hxxp ://45.159.248.110/brow/xyz2 | [home_dir ]/.n2/bow |
Backdoor drvUpdate.exe
drvUpdate.exe file in the downloaded compressed package is disguised as a driver update, but it is actually a backdoor that can execute cmd commands sent by the attacker and write and read specified files.
C2 server that the backdoor connects to is 103.231.75.101:8888.
By sending a challenge message to the C2 server and comparing the received data, it can be determined whether the server can be connected normally.
Function 0x401620 is responsible for distributing backdoor instructions. The supported backdoor instructions are as follows.
| - | - |
|---|---|
| Instruction code | illustrate |
| 0x4 | Returns various collected device information, including user name, host name, operating system version, network card IP and MAC address |
| 0x6 | Use cmd.exe to execute commands |
| 0x8 | Writing to a File |
| 0x9 | Sleep for 60 seconds , then send "QA==\r\n" to the server |
| 0x18 | Read the contents of the specified file |
The command execution functions are as follows.
The write file function is as follows. This function has 3 sub-commands: " 0 " opens the specified file, "1" writes the specified content to the open file, and "2" closes the file.
The read file function is as follows.
Traceability Association
The commands in the initial stage ClickFix-1.bat script are highly similar to those mentioned in the Lazarus related reports[1, 2] , and finally deploy BeaverTail and InvisibleFerret Therefore, we attribute the relevant samples to the Lazarus group.
We found other samples of the attacker, including Windows and MacOS. The Windows platform sample is as follows. Compared with the previously described sample, the overall changes are not significant. The C2 server that the loaded BeaverTail malware connects to is hxxp://45.89.53.54.
| - | - | - |
|---|---|---|
| file name | MD5 | illustrate |
| nvidiaReleasenew.zip | 8c274285c5f8914cdbb090d72d1720d3 | zip compressed package, download link: hxxps://driverservices.store/visiodrive/nvidiaReleasenew.zip |
| cam_driver | b73fd8f21a2ed093f8caf0cf4b41aa4d | zip compressed package, download link is: hxxps://block-digital.online/drivers/cam_driver |
The sample for macOS platform is as follows. The disguised name arm-fixer means a fix for the ARM 64 architecture.
| - | - | - |
|---|---|---|
| file name | MD5 | illustrate |
| arm64-fixer | cdf296d7404bd6193514284f021bfa54 | zip compressed package, download link: hxxps://driverservices.store/visiodrive/arm64-fixer |
| arm64-fixernew | CBD183f5e5ed7d295d83e29b62b15431 | zip compressed package, download link is: hxxps://driverservices.store/visiodrive/arm64-fixernew |
| mac-v-j1722.fixer | a009cd35850929199ef60e71bce86830 | Shell script for downloading arm64-fixernew |
The shell script content is as follows. The same download URL is used for ARM64 and Intel chip architectures. After decompressing the download package, execute the drivfixer.sh script.
The contents of the downloaded compressed package are as follows.
Drivfixer.sh also first detects whether Node.js exists, then downloads and installs it if it does not exist.
Set the plist to persist drivfixer.sh. The plist path is "~/Library/LaunchAgents/com.local.drvierUpdate.plist". Then execute main.js in the same directory through npm. Main.js contains the same BeaverTail as the Windows sample.
Summary
Social engineering tactics often do not require complex technology, but because they hit people's cognitive and psychological blind spots, attackers can manipulate the victim's psychology to make them inadvertently "cooperate" to complete the attack. Method, for Windows and macOS The frequent attacks on multiple platforms demonstrate the effectiveness of this method. Therefore, when visiting unknown websites, be vigilant of commands and files that the website requests to be run locally to avoid falling into traps.
Protection Recommendations
Qi'anxin Threat Intelligence Center reminds users to be wary of phishing attacks. Do not open unidentified links shared on social media, click on or execute email attachments from unknown sources, run unknown files with exaggerated titles, or install apps from unofficial sources. Back up important files and install patches promptly.
If you need to run or install an application of unknown origin, you can first identify it through the Qi'anxin Threat Intelligence File In-Depth Analysis Platform ( https://sandbox.ti.qianxin.com/sandbox/page). Currently, we support in-depth analysis of files in various formats, including Windows and Android platforms.
At present, the full range of products based on threat intelligence data from Qi'anxin Threat Intelligence Center, including Qi'anxin Threat Intelligence Platform ( TIP), TianQing, Tianyan Advanced Threat Detection System, Qi'anxin NGSOC, Qi'anxin Situational Awareness, etc., already support accurate detection of such attacks.
IOC
MD5
(Windows platform)
f9e18687a38e968811b93351e9fca089
a4e58b91531d199f268c5ea02c7bf456
3ef7717c8bcb26396fc50ed92e812d13
983a8a6f4d0a8c887536f5787a6b01a2
6175efd148a89ca61b6835c77acc7a8d
8c274285c5f8914cdbb090d72d1720d3
b73fd8f21a2ed093f8caf0cf4b41aa4d
(macOS platform)
cdf296d7404bd6193514284f021bfa54
CBD183f5e5ed7d295d83e29b62b15431
a009cd35850929199ef60e71bce86830
13400d5c844b7ab9aacc81822b1e7f02
(BeaverTail)
b52e105bd040bda6639e958f7d9e3090
15e48aef2e26f2367e5002e6c3148e1f
C&C
driverservices.store
block-digital.online
hxxp://45.159.248.110
hxxp://45.89.53.54
103.231.75.101:8888
URL
hxxps://driverservices.store/visiodrive/nvidiaRelease.zip
hxxps://driverservices.store/visiodrive/nvidiaReleasenew.zip
hxxps://driverservices.store/visiodrive/arm64-fixer
hxxps://driverservices.store/visiodrive/arm64-fixernew
hxxps://block-digital.online/drivers/cam_driver
Reference Links
[1]. https://www.gendigital.com/blog/insights/research/deceptive-nvidia-attack
[2]. https://medium.com/@anyrun/pylangghost-rat-rising-data-stealer-from-lazarus-group-targeting-finance-and-technology-d65cf790fb6d
[3]. https://x.com/RedDrip7/status/1954801591938170935