State-sponsored threat actors continue to exploit legitimate cloud services. In their latest campaign, uncovered by Malwarebytes during January 2022, the North Korean group Lazarus (AKA HIDDEN COBRA) has been carrying out spear phishing attacks, delivering a malicious document masquerading as a job opportunity from Lockheed Martin (37% of malware is now delivered via Office documents).
This campaign has two notable characteristics: the exploitation of Windows Update to execute the malicious code and bypass the security mechanisms, and the exploitation of GitHub as the command and control infrastructure. This second aspect is particularly interesting since it confirms the attraction of opportunistic and sponsored threat actors to cloud services, and not only to distribute ransomware. We have already seen recent cyber espionage campaigns carried out by APT groups, exploiting the likes of Slack and Dropbox.
As the researchers point out: “Using Github as a C2 has its own drawbacks but it is a clever choice for targeted and short term attacks as it makes it harder for security products to differentiate between legitimate and malicious connections.”
Evasion is the key element here, but another interesting aspect is the simplicity of operation since the creation of a rogue GitHub account is a much simpler operation than setting up dedicated infrastructure for the attack.