ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool Bookcode

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Bookcode

NamesBookcode
CategoryMalware
TypeReconnaissance, Backdoor, Info stealer, Exfiltration, Botnet
Description(Kaspersky) We recently observed the Lazarus group attacking a software vendor in South Korea using Bookcode, malware that we evaluate to be a Volgmer variant, utilizing a watering-hole attack to deliver it. Manuscrypt is one of the Lazarus group’s tools that is actively being updated and used. The group attacked the same victim twice. Almost a year prior to compromising this victim, Lazarus attempted to infect it by masquerading as a well-known security tool, but failed. We were able to construct the group’s post-exploitation activity, identifying various freeware and red-teaming tools used.
Although Lazarus has recently tended to focus more on targeting the financial industry, we believe that in this campaign they were seeking to exfiltrate intellectual property. We also observed that they previously spread Bookcode using a decoy document related to a company working in the defense sector. Based on our observations, we evaluate that the Bookcode malware is being used exclusively for cyber-espionage campaigns.
Information<https://securelist.com/apt-trends-report-q2-2020/97937/>

Last change to this tool card: 30 July 2020

Download this tool card in JSON format

Previous: BONDUPDATER
Next: Bookworm

All groups using tool Bookcode

ChangedNameCountryObserved

APT groups

XLazarus Group, Hidden Cobra, Labyrinth ChollimaNorth Korea2007-Feb 2024 HOTX

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]