Full Report
The North Korea-linked Lazarus Group (aka Diamond Sleet and Pompilus) has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East, according to a new report by the Symantec and Carbon Black Threat Hunter Team. Broadcom's threat intelligence division said it also identified the same threat actors mounting an unsuccessful attack against a healthcare
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
**Attribution:** North Korea-linked.
**Known Aliases:** Diamond Sleet, Pompilus.
**Associated Groups:** The activity mirrors tactics previously seen from the Lazarus sub-cluster Andariel (aka Stonefly).
## Activity Summary
The Lazarus Group was observed using **Medusa ransomware** in a successful attack against an unnamed entity in the Middle East. They were also linked to an *unsuccessful* attack against a healthcare organization in the U.S. The use of Medusa ransomware suggests a tactical shift where North Korean actors may be operating as affiliates for established Ransomware-as-a-Service (RaaS) operations (like Medusa, which was launched by Spearwing) rather than only developing custom tools, likely for "pragmatism."
Historical context shows North Korean groups shifting from custom ransomware (e.g., SHATTEREDGLASS and Maui by Andariel; FakePenny by Moonstone Sleet) toward using off-the-shelf variants like Play ransomware and now Medusa.
## Tactics, Techniques & Procedures
- **Ransomware utilization:** Employing Medusa RaaS.
- **Information Stealing:** Use of the **InfoHook** information stealer.
- **Credential Access:** Use of **Mimikatz** for credential dumping.
- **Backdoor Deployment:** Use of the custom backdoor **Comebacker**.
- **Proxying/Evasion:** Use of the custom proxy utility **RP_Proxy**.
- **Persistent Access:** Use of the Remote Access Trojan (RAT) **BLINDINGCAN** (aka AIRDRY or ZetaNile).
- **Credential Harvesting:** Using **ChromeStealer** to extract passwords from the Chrome browser.
## Targeting
- **Sectors:** Healthcare, Non-profit (mental health sector), Educational facilities (autistic children), and an unnamed entity in the Middle East.
- **Geography:** Middle East, United States.
- **Victims:**
* Unnamed entity in the Middle East (successful Medusa attack).
* U.S. healthcare organization (unsuccessful Medusa attack).
* Specific mentions of U.S. victims on the Medusa leak site include a non-profit in the mental health sector and an educational facility for autistic children (it is unconfirmed if Lazarus executed all these Medusa attacks or if other affiliates were responsible).
## Tools & Infrastructure
- **Malware families used:** Medusa ransomware, RP\_Proxy (custom utility), Comebacker (custom backdoor), InfoHook (information stealer), BLINDINGCAN (RAT), ChromeStealer.
- **Infrastructure (C2, domains, IPs):** None explicitly detailed or provided in a format requiring defanging.
## Implications
The Lazarus Group continues its focus on financially motivated cybercrime, showing little restraint in targeting sensitive sectors like healthcare and non-profits in the U.S., despite industry norms related to reputational damage. Their adoption of RaaS variants reflects a pragmatic strategic shift towards leveraging proven, existing ransomware strains to maximize efficiency and revenue streams.
## Mitigations
- Implement robust detection and response capabilities for known tools utilized by the actor, especially credential dumping tools like Mimikatz.
- Monitor for the deployment of custom backdoors and information stealers associated with North Korean operations, such as Comebacker and InfoHook.
- Harden defenses specifically against Medusa ransomware indicators of compromise (IoCs) and network activity associated with RaaS affiliates.
- Since the actor targets key sectors without hesitation, strengthen security controls and segmentation across healthcare and critical infrastructure environments.