Virus Bulletin : Lazarus Group: a mahjong game played with different sets of tiles

Please go ahead and click the link below to read the full article .  Below is a summary for the ones who want see what’s in the article :

https://www.virusbulletin.com/virusbulletin/2019/06/vb2018-paper-lazarus-group-mahjong-game-played-different-sets-tiles/#ref25

The number of incidents attributed to the Lazarus Group, a.k.a. Hidden Cobra, has grown rapidly since its estimated establishment in 2009. This notorious group intensified its efforts in 2017 (e.g. the attacks on Polish and Mexican banks, the WannaCryptor outbreak, the spear-phishing campaign against US contractors), and kept up the pace at the turn of the year (the Android-ported payloads, the bitcoin-oriented attacks, the Turkish campaign, and more). Attribution of these newer cases was determined by observing similarities with previously resolved cases: specific chunks of code, unique data, and network infrastructure. In this paper we summarize the crucial links that played a role in these major cases.

The source code of the group’s toolset appears to be modified with every attack. There are several static features that vary between the instances: dynamic Windows API resolution and the obfuscation of procedure and library names, the form of self-deleting batch files, the list of domains leveraged for fake TLS communication, the format strings included in TCP backdoors, the use of commercial packers, etc. The variety is so huge that it suggests that the Lazarus group may be split into multiple, independent, code-sharing cells. Our research investigates this idea further by exploring the undocumented PE Rich Header metadata, which once again indicates that there are various development environments producing the malicious binaries.

There are also several binaries from the Lazarus toolset that have not been publicly reported. Our study of these samples adds some interesting findings to the Lazarus puzzle: the very first iteration of WannaCryptor from 2016, in-the-wild experimentation with the malicious Java downloaders targeting multiple platforms, the use of a custom malware packer, and the presence of strange artifacts like Chinese language or South Korean cultural references. This paper will present previously unpublished details about the cyber-sabotage attack against an online casino in Central America from late 2017, and we will reveal the modus operandi of the Lazarus cell that was behind that attack.

Reported cases

– Operation Troy and DarkSeoul

– Operation Blockbuster – the saga, the sequel and going mobile

– SWIFT attack in Bangladesh

– Polish and Mexican banks

– WannaCryptor outbreak

– Bitcoin-oriented attacks

–  The Turkish Bankshot

Their attack vectors and Tooling

–  Dynamic resolution of Windows APIs

– TCP backdoors

– Fake TLS protocol

– Self-deleting batch files

– PE Rich Header metadata

Conclusion

Considering the scale of the Lazarus operations, together with often severe impacts on their victims, even on a global scale, the group is clearly well organized. We see that the group continues to be a threat all around the globe, even more than a decade since its first recorded appearance. The group tends to achieve high outcome with minimum effort, and usually reuses already invented proofs of concepts and tools, only very rarely creating anything from scratch. The group doesn’t seem to have a single goal, and while sometimes they steal in order to obtain funds, the next time they strike may be cyber espionage with destructive malware.

The attribution was not straightforward in most of the cases discussed in this paper, and it often depends on fine details. The diversity of the tools involved and approaches taken is so wide that it is really hard to believe that they all come from a single environment. This, together with the results of the PE Rich Header analysis, leads us to believe that there are multiple code development units. These units may, or may not, be pulling in the same, one-way direction.

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *