Analysis of APT-C-26 (Lazarus) Group's Attack Campaign Using Remote IT Disguise to Deploy Monitoring Software

Description

The report details an attack campaign by APT-C-26 (Lazarus), a highly active APT group targeting various industries globally. The group deployed a customized monitoring program with remote desktop control capabilities, likely used by remote IT personnel infiltrating target companies. The malware consists of a registration program, a daemon process, and a DLL file for core monitoring functions. It utilizes Windows Shell extension for persistence and creates a covert remote desktop environment. The analysis reveals sophisticated techniques for evading detection, including disabling Windows Defender and manipulating firewall rules. The monitoring software captures screen data, uploads it to a server, and provides remote desktop functionality. Based on the analysis and tactics used, the activity is attributed to the Lazarus group.