Lazarus advanced persistent threat (APT) group believed to be working on behalf of the North Korean government has been spotted targeting security researchers with a trojanized version of IDA Pro, a popular software for reverse engineering.
Discovered by researchers at ESET, the new campaign leverages the original IDA Pro 7.5 software bundled with two malicious components. The installer was modified to include two malicious DLLs named idahelper.dll and win_fw.dll that will be executed when the software is installed.
The win_fw.dll creates a Windows scheduled task that starts a second malicious component, idahelper.dll, from the IDA plugins folder. Once running, idahelper.dll attempts to download and execute a next stage component (believed to be the NukeSped remote access trojan, according to Bleeping Computer) from the devguardmap[.]org site.
The NukeSped RAT is believed to be a malware in the arsenal of the Lazarus APT. The malware contains a range of features including creating, iterating, and terminating processes and moving, reading, and writing files on the infected host.
"Based on the domain and trojanized application, we attribute this malware to known Lazarus activity, previously reported by Google's Threat Analysis Group and Microsoft," ESET researchers said in a series of tweets.
Earlier this year, Lazarus was observed using a clever method to bypass security mechanisms by hiding its malicious code within a bitmap (.BMP) image file used to drop a RAT capable of stealing sensitive information.