Lazarus Group is a threat group that has been attributed to the North Korean government. The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.  In late 2017, Lazarus Group used KillDisk, a disk-wiping tool, in an attack against an online casino based in Central America. 
North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.
Associated Group Descriptions
|HIDDEN COBRA||The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.|
|Guardians of Peace|||
|Enterprise||T1134||Access Token Manipulation||Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call |
|Enterprise||T1098||Account Manipulation||Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account.|
|Enterprise||T1010||Application Window Discovery||Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground.|
|Enterprise||T1067||Bootkit||Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.|
|Enterprise||T1110||Brute Force||Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.|
|Enterprise||T1059||Command-Line Interface||Lazarus Group malware uses cmd.exe to execute commands on victims.|
|Enterprise||T1043||Commonly Used Port||Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes commonly used ports such as 443, 53, 80, 25, and 8080.|
|Enterprise||T1223||Compiled HTML File||Lazarus Group has used CHM files to move concealed payloads as part of.|
|Enterprise||T1090||Connection Proxy||Lazarus Group uses multiple proxies to obfuscate network traffic from victims.|
|Enterprise||T1003||Credential Dumping||Lazarus Group leveraged Mimikatz to extract Windows Credentials of currently logged-in users and steals passwords stored in browsers.|
|Enterprise||T1024||Custom Cryptographic Protocol||Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, evading SSL man-in-the-middle decryption attacks.|
|Enterprise||T1002||Data Compressed||Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server. Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server.|
|Enterprise||T1485||Data Destruction||Lazarus Group has used a custom secure delete function to overwrite file contents with data from heap memory.|
|Enterprise||T1132||Data Encoding||A Lazarus Group malware sample encodes data with base64.|
|Enterprise||T1022||Data Encrypted||Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server. Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server. A Lazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.|
|Enterprise||T1005||Data from Local System||Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Lazarus Group malware RomeoDelta copies specified directories from the victim's machine, then archives and encrypts the directories before uploading to its C2 server.|
|Enterprise||T1074||Data Staged||Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.|
|Enterprise||T1089||Disabling Security Tools||Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.|
|Enterprise||T1488||Disk Content Wipe||Lazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.|
|Enterprise||T1487||Disk Structure Wipe||Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine and has possessed MBR wiper malware since at least 2009.|
|Enterprise||T1189||Drive-by Compromise||Lazarus Group delivered RATANKBA to victims via a compromised legitimate website.|
|Enterprise||T1048||Exfiltration Over Alternative Protocol||Lazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.|
|Enterprise||T1041||Exfiltration Over Command and Control Channel||Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Another Lazarus Group malware sample also performs exfiltration over the C2 channel.|
|Enterprise||T1203||Exploitation for Client Execution||Lazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.|
|Enterprise||T1008||Fallback Channels||Lazarus Group malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again.|
|Enterprise||T1083||File and Directory Discovery||Several Lazarus Group malware samples use a common function to identify target files by their extension. Lazarus Group malware families can also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.|
|Enterprise||T1107||File Deletion||Lazarus Group malware deletes files in various ways, including "suicide scripts" to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim.|
|Enterprise||T1158||Hidden Files and Directories||A Lazarus Group VBA Macro sets its file attributes to System and Hidden.|
|Enterprise||T1056||Input Capture||Lazarus Group malware KiloAlfa contains keylogging functionality.|
|Enterprise||T1026||Multiband Communication||Some Lazarus Group malware uses multiple channels for C2, such as RomeoWhiskey-Two, which consists of a RAT channel that parses data in datagram form and a Proxy channel that forms virtual point-to-point sessions.|
|Enterprise||T1050||New Service||Several Lazarus Group malware families install themselves as new services on victims.|
|Enterprise||T1027||Obfuscated Files or Information||Lazarus Group malware uses multiple types of encryption and encoding in its malware files, including AES, Caracachs, RC4, basic XOR with constant 0xA7, and other techniques.|
|Enterprise||T1057||Process Discovery||Several Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by Lazarus Group also gathers process times.|
|Enterprise||T1055||Process Injection||A Lazarus Group malware sample performs reflective DLL injection.|
|Enterprise||T1012||Query Registry||Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:|
|Enterprise||T1060||Registry Run Keys / Startup Folder||Lazarus Group malware attempts to maintain persistence by saving itself in the Start menu folder or by adding a Registry Run key.|
|Enterprise||T1076||Remote Desktop Protocol||Lazarus Group malware SierraCharlie uses RDP for propagation.|
|Enterprise||T1105||Remote File Copy||Several Lazarus Group malware families are capable of downloading and executing binaries from its C2 server.|
|Enterprise||T1496||Resource Hijacking||Lazarus Group has subset groups like Bluenoroff who have used cryptocurrency mining software on victim machines.|
|Enterprise||T1064||Scripting||A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.|
|Enterprise||T1489||Service Stop||Lazarus Group has stopped the MSExchangeIS service to render Exchange contents inaccessible to users.|
|Enterprise||T1023||Shortcut Modification||A Lazarus Group malware sample adds persistence on the system by creating a shortcut in the user’s Startup folder.|
|Enterprise||T1193||Spearphishing Attachment||Lazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents.|
|Enterprise||T1071||Standard Application Layer Protocol||A Lazarus Group malware sample conducts C2 over HTTP.|
|Enterprise||T1032||Standard Cryptographic Protocol||Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads.|
|Enterprise||T1082||System Information Discovery||Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server.|
|Enterprise||T1016||System Network Configuration Discovery||Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.|
|Enterprise||T1033||System Owner/User Discovery||Various Lazarus Group malware enumerates logged-on users.|
|Enterprise||T1124||System Time Discovery||A Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server.|
|Enterprise||T1099||Timestomp||Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.|
|Enterprise||T1065||Uncommonly Used Port||Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes uncommonly used ports such as 995, 1816, 465, 1521, 3306, and many others.|
|Enterprise||T1204||User Execution||Lazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.|
|Enterprise||T1077||Windows Admin Shares||Lazarus Group malware SierraAlfa accesses the |
|Enterprise||T1047||Windows Management Instrumentation||Lazarus Group malware SierraAlfa uses the Windows Management Instrumentation Command-line application wmic to start itself on a target system during lateral movement.|
- US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.
- GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
- Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
- US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
- GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.
- US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
- Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
- Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
- Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
- US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
- Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.
- Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.
- Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
- US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
- US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
- US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
- Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
- US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
- US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
- Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
- Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.