A Google translation of the document’s contents reveal the document to be purportedly from a company named “Han Seung” and their representative “Jin Seok Kim”. Strangely for a campaign that Kaspersky mention was active from around late 2018, the document states its own creation date as some 4 years earlier, 3rd November 2014. We sourced the same document reported by Kaspersky targeting Korean users.
For that reason, we wanted to take a deeper look at the details behind how the attack worked that weren’t provided in the Kaspersky write-up. There’s nothing new about maliciously crafted Microsoft Office documents utilising VBA Macros, particularly when it comes to banking trojans, but ones also targeting macOS are not seen in the wild all that often. Of particular interest to us here at SentinelOne was the use of a malicious Word document that contained logic for both macOS systems and Windows systems. The Lazarus group, also known as Hidden Cobra, have been operating since at least 2009 and were most notoriously blamed for the 2014 hack on Sony. Last month, researchers at Kaspersky reported on a Lazarus APT campaign targeting both macOS and Windows users involved in the financial sector, particularly those using cryptocurrency exchanges.