Lazarus Group

Lazarus Group is a threat group that has been attributed to the North Korean government.[1] The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. [2] In late 2017, Lazarus Group used KillDisk, a disk-wiping tool, in an attack against an online casino based in Central America. [3]

North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.[1] Some organizations track North Korean clusters or groups such as Bluenoroff,[4] APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.

ID: G0032
Version: 1.1

Associated Group Descriptions

NameDescription
HIDDEN COBRAThe U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.[1][16]
Guardians of Peace[1]
ZINC[17]
NICKEL ACADEMY[18]

Techniques Used

DomainIDNameUse
EnterpriseT1134Access Token ManipulationLazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserA under that user's context.[2][5]
EnterpriseT1098Account ManipulationLazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account.[2][6]
EnterpriseT1010Application Window DiscoveryLazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground.[2][7][5]
EnterpriseT1067BootkitLazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.[2][6]
EnterpriseT1110Brute ForceLazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.[2][8]
EnterpriseT1059Command-Line InterfaceLazarus Group malware uses cmd.exe to execute commands on victims.[2][6][9][10]
EnterpriseT1043Commonly Used PortSome Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes commonly used ports such as 443, 53, 80, 25, and 8080.[2][8]
EnterpriseT1223Compiled HTML FileLazarus Group has used CHM files to move concealed payloads as part of.[11]
EnterpriseT1090Connection ProxyLazarus Group uses multiple proxies to obfuscate network traffic from victims.[12]
EnterpriseT1003Credential DumpingLazarus Group leveraged Mimikatz to extract Windows Credentials of currently logged-in users and steals passwords stored in browsers.[3]
EnterpriseT1024Custom Cryptographic ProtocolSeveral Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, evading SSL man-in-the-middle decryption attacks.[2][6][9][13]
EnterpriseT1002Data CompressedLazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server. Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server.[2][7][8]
EnterpriseT1485Data DestructionLazarus Group has used a custom secure delete function to overwrite file contents with data from heap memory.[2]
EnterpriseT1132Data EncodingA Lazarus Group malware sample encodes data with base64.[9]
EnterpriseT1022Data EncryptedLazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server. Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server. A Lazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.[2][7][8][9]
EnterpriseT1005Data from Local SystemLazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Lazarus Group malware RomeoDelta copies specified directories from the victim's machine, then archives and encrypts the directories before uploading to its C2 server.[2][7][8]
EnterpriseT1074Data StagedLazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.[2][7]
EnterpriseT1089Disabling Security ToolsVarious Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.[2][7][5][10]
EnterpriseT1488Disk Content WipeLazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.[6]
EnterpriseT1487Disk Structure WipeLazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine and has possessed MBR wiper malware since at least 2009.[10][2]
EnterpriseT1189Drive-by CompromiseLazarus Group delivered RATANKBA to victims via a compromised legitimate website.[14]
EnterpriseT1048Exfiltration Over Alternative ProtocolLazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.[2][8]
EnterpriseT1041Exfiltration Over Command and Control ChannelLazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Another Lazarus Group malware sample also performs exfiltration over the C2 channel.[2][7][9]
EnterpriseT1203Exploitation for Client ExecutionLazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.[15]
EnterpriseT1008Fallback ChannelsLazarus Group malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again.[2][8]
EnterpriseT1083File and Directory DiscoverySeveral Lazarus Group malware samples use a common function to identify target files by their extension. Lazarus Group malware families can also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.[2][13]
EnterpriseT1107File DeletionLazarus Group malware deletes files in various ways, including "suicide scripts" to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim.[2][13]
EnterpriseT1158Hidden Files and DirectoriesA Lazarus Group VBA Macro sets its file attributes to System and Hidden.[9]
EnterpriseT1056Input CaptureLazarus Group malware KiloAlfa contains keylogging functionality.[2][5]
EnterpriseT1026Multiband CommunicationSome Lazarus Group malware uses multiple channels for C2, such as RomeoWhiskey-Two, which consists of a RAT channel that parses data in datagram form and a Proxy channel that forms virtual point-to-point sessions.[2][8]
EnterpriseT1050New ServiceSeveral Lazarus Group malware families install themselves as new services on victims.[2][6]
EnterpriseT1027Obfuscated Files or InformationLazarus Group malware uses multiple types of encryption and encoding in its malware files, including AES, Caracachs, RC4, basic XOR with constant 0xA7, and other techniques.[2][7][8][9]
EnterpriseT1057Process DiscoverySeveral Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by Lazarus Group also gathers process times.[2][7][9][13]
EnterpriseT1055Process InjectionA Lazarus Group malware sample performs reflective DLL injection.[9]
EnterpriseT1012Query RegistryLazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt.[2][7][9]
EnterpriseT1060Registry Run Keys / Startup FolderLazarus Group malware attempts to maintain persistence by saving itself in the Start menu folder or by adding a Registry Run key.[2][8][9]
EnterpriseT1076Remote Desktop ProtocolLazarus Group malware SierraCharlie uses RDP for propagation.[2][8]
EnterpriseT1105Remote File CopySeveral Lazarus Group malware families are capable of downloading and executing binaries from its C2 server.[2][6][7]
EnterpriseT1496Resource HijackingLazarus Group has subset groups like Bluenoroff who have used cryptocurrency mining software on victim machines.[4]
EnterpriseT1064ScriptingA Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.[13]
EnterpriseT1489Service StopLazarus Group has stopped the MSExchangeIS service to render Exchange contents inaccessible to users.[6]
EnterpriseT1023Shortcut ModificationA Lazarus Group malware sample adds persistence on the system by creating a shortcut in the user’s Startup folder.[9]
EnterpriseT1193Spearphishing AttachmentLazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents.[15]
EnterpriseT1071Standard Application Layer ProtocolA Lazarus Group malware sample conducts C2 over HTTP.[9]
EnterpriseT1032Standard Cryptographic ProtocolLazarus Group malware uses Caracachs encryption to encrypt C2 payloads.[2]
EnterpriseT1082System Information DiscoverySeveral Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server.[2][6][7][9][13]
EnterpriseT1016System Network Configuration DiscoveryLazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.[2][7]
EnterpriseT1033System Owner/User DiscoveryVarious Lazarus Group malware enumerates logged-on users.[2][6][7][8][9]
EnterpriseT1124System Time DiscoveryA Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server.[13]
EnterpriseT1099TimestompSeveral Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.[2][6][7][13]
EnterpriseT1065Uncommonly Used PortSome Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes uncommonly used ports such as 995, 1816, 465, 1521, 3306, and many others.[2][8]
EnterpriseT1204User ExecutionLazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.[15]
EnterpriseT1077Windows Admin SharesLazarus Group malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement.[2][8]
EnterpriseT1047Windows Management InstrumentationLazarus Group malware SierraAlfa uses the Windows Management Instrumentation Command-line application wmic to start itself on a target system during lateral movement.[2][8]

Software

IDNameReferencesTechniques
S0347AuditCred[19]Command-Line Interface, Commonly Used Port, Connection Proxy, Deobfuscate/Decode Files or Information, File and Directory Discovery, File Deletion, New Service, Obfuscated Files or Information, Process Injection, Remote File Copy
S0245BADCALL[20]Commonly Used Port, Connection Proxy, Custom Cryptographic Protocol, Disabling Security Tools, Modify Registry, System Information Discovery, System Network Configuration Discovery
S0239Bankshot[15]Access Token Manipulation, Account Discovery, Automated Collection, Command-Line Interface, Data Encoding, Data from Local System, Data Obfuscation, Deobfuscate/Decode Files or Information, Execution through API, Exfiltration Over Command and Control Channel, Exploitation for Client Execution, File and Directory Discovery, File Deletion, Indicator Removal on Host, Modify Existing Service, Modify Registry, Process Discovery, Query Registry, Remote File Copy, Standard Application Layer Protocol, System Information Discovery, Timestomp, Uncommonly Used Port
S0181FALLCHILL[12]Custom Cryptographic Protocol, File and Directory Discovery, File Deletion, System Information Discovery, System Network Configuration Discovery, Timestomp
S0246HARDRAIN[21]Command-Line Interface, Commonly Used Port, Connection Proxy, Custom Cryptographic Protocol, Disabling Security Tools
S0376HOPLIGHT[16]Command-Line Interface, Commonly Used Port, Connection Proxy, Credential Dumping, Data Obfuscation, Disabling Security Tools, Exfiltration Over Command and Control Channel, Fallback Channels, File and Directory Discovery, Modify Registry, Pass the Hash, Process Injection, Query Registry, Remote File Copy, Service Execution, System Information Discovery, System Time Discovery, Uncommonly Used Port, Windows Management Instrumentation
S0271KEYMARBLE[22]Command-Line Interface, Commonly Used Port, Custom Cryptographic Protocol, File and Directory Discovery, File Deletion, Modify Registry, Process Discovery, Remote File Copy, Screen Capture, System Information Discovery, System Network Configuration Discovery
S0002Mimikatz[3]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0108netsh[7]Connection Proxy, Disabling Security Tools, Netsh Helper DLL, Security Software Discovery
S0238Proxysvc[13]Automated Collection, Command-Line Interface, Commonly Used Port, Data Destruction, Data from Local System, Exfiltration Over Command and Control Channel, File and Directory Discovery, File Deletion, Process Discovery, Query Registry, Scripting, Service Execution, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Time Discovery
S0241RATANKBA[23]Account Discovery, Command-Line Interface, Commonly Used Port, PowerShell, Process Discovery, Process Injection, Query Registry, Remote File Copy, Remote System Discovery, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Service Discovery, Windows Management Instrumentation
S0364RawDisk[2][6]Data Destruction, Disk Content Wipe, Disk Structure Wipe
S0263TYPEFRAME[24]Command-Line Interface, Commonly Used Port, Connection Proxy, Custom Command and Control Protocol, Deobfuscate/Decode Files or Information, Disabling Security Tools, File and Directory Discovery, File Deletion, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Remote File Copy, Scripting, System Information Discovery, Uncommonly Used Port, User Execution
S0180Volgmer[25]Command-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Data Encoding, Deobfuscate/Decode Files or Information, Execution through API, File and Directory Discovery, File Deletion, Masquerading, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Discovery, Query Registry, Remote File Copy, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, Uncommonly Used Port
S0366WannaCry[26][27][28][29]Custom Cryptographic Protocol, Data Encrypted for Impact, Exploitation of Remote Services, File and Directory Discovery, File Permissions Modification, Hidden Files and Directories, Inhibit System Recovery, Multi-hop Proxy, Multilayer Encryption, New Service, Peripheral Device Discovery, Remote Desktop Protocol, Remote File Copy, Remote System Discovery, Service Stop, System Network Configuration Discovery, Windows Management Instrumentation

References

  1. US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.
  2. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  3. Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.
  4. GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.
  5. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
  6. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  7. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  8. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  9. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  10. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
  11. GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.
  12. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  13. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  14. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  15. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  1. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  2. Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.
  3. Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.
  4. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  5. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  6. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
  7. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  8. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  9. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  10. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  11. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  12. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  13. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  14. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.