The North Korean Lazarus Group has adopted Medusa ransomware in a recent attack on a Middle East organization and attempted another on a US healthcare entity, demonstrating its continued focus on financially motivated cybercrime against critical infrastructure. The attacks also involved other malware like the Comebacker backdoor, Blindingcan RAT, and Infohook stealer. Researchers identified the activity as Lazarus's work but could not definitively pinpoint which specific sub-group within the threat actor was responsible. The main topics covered are Lazarus Group's new use of Medusa ransomware, its financially motivated attacks on critical infrastructure, and the associated malware and tactics.
Lazarus Group Picks a New Poison: Medusa Ransomware
The North Korean threat group also leveraged Comebacker backdoor, Blindingcan RAT, and info stealer Infohook in its recent attacks.
The Larazus Group has a new partner in crime.
The North Korean nation-state threat group dropped Medusa ransomware in a recent attack on an organization in the Middle East, according to new research from the Symantec and Carbon Black threat hunter team. Lazarus Group actors also attempted an unsuccessful attack on a US healthcare organization.
The researchers didn't identify either organization or specify the Middle East target's industrial sector.
Lazarus Group's embrace of Medusa shows the Democratic People's Republic of Korea's (DPRK) "rapacious involvement in cybercrime continues unabated," the researchers wrote. The attacks are also the latest example of the threat group's penchant for hitting critical infrastructure targets, most notably healthcare entities.
"While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the reputational damage it may attract, Lazarus doesn't seem to be in any way constrained," the threat hunter team stated in the report.
The Medusa ransomware gang initially started out as a closed operation but expanded in 2024 to a more open ransomware-as-a-service (RaaS) model. Additionally, Medusa actors have hit hundreds of critical infrastructure organizations over the years, making the gang a fitting partner for Lazarus.
Which Lazarus Group Unit Was Behind the Attacks?
Unlike most nation-state advanced persistent threat (APT) groups, Lazarus has long been involved in conventional cybercrime with financially motivated attacks on everything from energy sector organizations to cryptocurrency exchanges. Dick O'Brien, principal intelligence analyst for the Symantec and Carbon Black threat hunter team, says the Middle Eastern organization hit by the Medusa attack is a large business that "doesn't operate in a strategic sector or seem to possess valuable intellectual property. We believe it was purely financially motivated."
Partnering with Medusa, therefore, makes sense for Lazarus Group, given its history of ransomware and extortion attacks. However, Carbon Black hasn't determined which specific arm of Lazarus is behind these latest attacks.
"While the current Medusa ransomware attacks are undoubtedly the work of Lazarus, the blanket designation for North Korean state-sponsored activity, it is unclear which Lazarus sub-group is behind them," the report stated.
The researchers noted that while the Medusa attacks featured tactics, techniques, and procedures (TTPs) associated with a Lazarus sub-group known as a Stonefly, the additional malware used by the threat actors, including a backdoor known as Comebacker, were previously tied to a different group tracked as Diamond Sleet.
Just the Ransomware, Please
In addition to the Comebacker malware, the Carbon Black's threat hunter team found evidence of other malware and hacking tools frequented by the Lazarus Group in the two attacks. This includes Blindingcan, a remote access Trojan (RAT) tied to Lazarus, and an infostealer known as Infohook.
However, O'Brien tells Dark Reading that the threat hunter team didn't find any evidence of Lazarus actors using other Medusa tools or malware besides the payload. The ransomware gang has embraced the bring-your-own-vulnerable-driver (BYOVD) technique, deploying endpoint detection and response (EDR) killers to disable enterprise security defenses.
"We didn't see any evidence of defense evasion tools being used, such as vulnerable drivers," he says.
Still, BYOVD has become an increasingly popular tactic among ransomware gangs, and security teams should prepare for such threats. Defenses include blocking vulnerable drivers known to be used by threat actors and monitoring for privilege escalation attempts, which attackers need to introduce drivers into targeted systems.
The threat hunter team's report included indicators of compromise from the two attacks, such as malicious file indicators, IP addresses, and URLs. In a separate security bulletin, Symantec included other indicators, such as behavior-based signals, which the vendor's products are now updated to detect and block.
Meridiano
