Dr. Erdal Ozkaya
Search
  • Home
  • About Me
  • Home
  • About Me
  • Home
  • Cybersecurity, Security Review / Reports
  • Virus Bulletin : Lazarus Group a mahjong game played with different sets 0f tiles

Virus Bulletin : Lazarus Group a mahjong game played with different sets 0f tiles

Erdal2021-07-12T17:39:11-04:00

Lazarus Group a mahjong game played with different sets of tiles

Please go ahead and click the link below to read the full article .  Below is a summary for the ones who want see what’s in the article :

https://www.virusbulletin.com/virusbulletin/2019/06/vb2018-paper-lazarus-group-mahjong-game-played-different-sets-tiles/#ref25

The number of incidents attributed to the Lazarus Group, a.k.a. Hidden Cobra, has grown rapidly since its estimated establishment in 2009. This notorious group intensified its efforts in 2017 (e.g. the attacks on Polish and Mexican banks, the WannaCryptor outbreak, the spear-phishing campaign against US contractors), and kept up the pace at the turn of the year (the Android-ported payloads, the bitcoin-oriented attacks, the Turkish campaign, and more). Attribution of these newer cases was determined by observing similarities with previously resolved cases: specific chunks of code, unique data, and network infrastructure. In this paper we summarize the crucial links that played a role in these major cases.

The source code of the group’s toolset appears to be modified with every attack. There are several static features that vary between the instances: dynamic Windows API resolution and the obfuscation of procedure and library names, the form of self-deleting batch files, the list of domains leveraged for fake TLS communication, the format strings included in TCP backdoors, the use of commercial packers, etc. The variety is so huge that it suggests that the Lazarus group may be split into multiple, independent, code-sharing cells. Our research investigates this idea further by exploring the undocumented PE Rich Header metadata, which once again indicates that there are various development environments producing the malicious binaries.

There are also several binaries from the Lazarus toolset that have not been publicly reported. Our study of these samples adds some interesting findings to the Lazarus puzzle: the very first iteration of WannaCryptor from 2016, in-the-wild experimentation with the malicious Java downloaders targeting multiple platforms, the use of a custom malware packer, and the presence of strange artifacts like Chinese language or South Korean cultural references. This paper will present previously unpublished details about the cyber-sabotage attack against an online casino in Central America from late 2017, and we will reveal the modus operandi of the Lazarus cell that was behind that attack.

WannaCry
WannaCry

Reported cases

– Operation Troy and DarkSeoul

– Operation Blockbuster – the saga, the sequel and going mobile

– SWIFT attack in Bangladesh

– Polish and Mexican banks

– WannaCryptor outbreak

– Bitcoin-oriented attacks

–  The Turkish Bankshot

 

Their attack vectors and Tooling

–  Dynamic resolution of Windows APIs

– TCP backdoors

– Fake TLS protocol

– Self-deleting batch files

– PE Rich Header metadata

Conclusion

Considering the scale of the Lazarus operations, together with often severe impacts on their victims, even on a global scale, the group is clearly well organized. We see that the group continues to be a threat all around the globe, even more than a decade since its first recorded appearance. The group tends to achieve high outcome with minimum effort, and usually reuses already invented proofs of concepts and tools, only very rarely creating anything from scratch. The group doesn’t seem to have a single goal, and while sometimes they steal in order to obtain funds, the next time they strike may be cyber espionage with destructive malware.

The attribution was not straightforward in most of the cases discussed in this paper, and it often depends on fine details. The diversity of the tools involved and approaches taken is so wide that it is really hard to believe that they all come from a single environment. This, together with the results of the PE Rich Header analysis, leads us to believe that there are multiple code development units. These units may, or may not, be pulling in the same, one-way direction.

Cybersecurity Books by Dr Erdal Ozkaya

https://www.erdalozkaya.com/about-erdal-ozkaya/my-books/

Comment (1)

  • Ali Akbar Reply

    I’m now not sure the place you are getting your information, but great topic.
    I needs to spend some time studying more or working out more.
    Thank you for excellent information I used to be on the lookout
    for this info for my mission.

    30/03/2020 at 17:55

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *


Related Posts

The importance of HR's role in cybersecurity

The importance of HR’s role in cybersecurity –

The importance of HR's role in cybersecurity HR teams must keep security top of mind when hiring and onboarding employees and... read more
10 Cybersecurity Myths

10 Cybersecurity Myths You Need To Stop Believing

10 Cybersecurity Myths You Need To Stop Believing 01. No one cares about you or Your business is too small for... read more
Vulnerability Scanner Tools

Top 10 Paid and Free Vulnerability Scanner Tools 2022

Top 10 Paid and Free Vulnerability Scanner Tools 2022 There are many tools that you can use to scan your organizations... read more
CIO Tech Asia Erdal Ozkaya

CIO Tech Asia : Living The Life In Tech Free P0DCAST

CIO Tech Asia : Living The Life In Tech Free CIO Tech Asia has invited me to join them for a... read more

Handbook to Utilize MITRE ATT&CK Framework – Free D0wnload

 Handbook to Utilize MITRE ATT&CK Framework  prepared by Picus Security  exclusively  for the community. Download the report and learn; How to... read more

Malware past present and future.

Malware past present and future. This article is about Malwares, from the past , to present and their future, I hope... read more
SECURITY POLICY erdal

SECURITY POLICY – empower your knowledge N0W

SECURITY POLICY- The essence of an IT security- policy is to establish guidelines and standards for accessing the organization's information and... read more
Have you been Hacked

Have you been Hacked ?

Dear Blog readers, In the last few months I started to receive more and more questions such as: “We... read more
Top 10 Best Book For Cyber Security Reviews

Top 10 Best Book For Cyber Security

Top 10 Best Book For Cyber Security The Sawfinder team studied on 46978 reviews available online for Book For Cyber Security,... read more
Cyber Security Symposium Africa Erdal Ozkaya

Cyber Security Symposium Africa 2019

Cyber Security Symposium Africa 2019 I am proud to announce, that I will be speaking this year in Africa's most comprehensive... read more

Categories

  • About Dr Erdal Ozkaya (298)
    • Awards (96)
    • Erdal in the news (118)
    • Feedback (90)
    • My Books (54)
    • Who is Dr Erdal Ozkaya ? (2)
  • Announcemets (302)
  • Artificial Intelligence AI (10)
  • Certification (52)
  • Cloud Computing (72)
  • Cybersecurity (322)
  • Cybersecurity Leadership (52)
  • Financial Sector (31)
  • Forensics (17)
  • Free Events (156)
  • General (133)
  • How to …? (63)
  • ISO 2700x (12)
  • News (38)
  • Reviews (77)
    • Book Reviews (33)
    • Free E-Books (13)
    • Hardware Review (9)
    • Security Review / Reports (10)
    • Software Review (8)
  • Video Tutorials (101)
  • What is new? (27)
  • Windows (30)

Recent Comments

  • Erdal on Free EDR Certification Training
  • SANDEEP SHRIVASTAV on Free EDR Certification Training
  • Alicia Harlow on Core isolation Memory Integrity not available – (Get it fixed)
  • Alicia Harlow on Core isolation Memory Integrity not available – (Get it fixed)
  • Erdal on Siber Güvenlik Saldiri ve Savunma Stratejileri – NEW B00K

Archives

Dr. Erdal Ozkaya © Copyright 2023. All Rights Reserved.