Lazarus Group

Lazarus Group is a threat group that has been attributed to the North Korean government.[1] The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. [2] In late 2017, Lazarus Group used KillDisk, a disk-wiping tool, in an attack against an online casino based in Central America. [3]

North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.[1] Some organizations track North Korean clusters or groups such as Bluenoroff,[4] APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.

ID: G0032
Associated Groups: HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY
Version: 1.5
Created: 31 May 2017
Last Modified: 18 March 2021

Associated Group Descriptions

Name Description
HIDDEN COBRA

The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.[1][5]

Guardians of Peace

[1]

ZINC

[6]

NICKEL ACADEMY

[7]

Techniques Used

Domain ID Name Use
Enterprise T1134 .002 Access Token Manipulation: Create Process with Token

Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserA under that user's context.[2][8]

Enterprise T1098 Account Manipulation

Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account.[2][9]

Enterprise T1583 .001 Acquire Infrastructure: Domains

Lazarus Group has acquired infrastructure related to their campaigns to act as distribution points and C2 channels.[10]

.006 Acquire Infrastructure: Web Services

Lazarus Group has hosted malicious downloads on Github.[10]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Lazarus Group malware has conducted C2 over HTTP and HTTPS.[11][12][13][14]

Enterprise T1010 Application Window Discovery

Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground.[2][15][8]

Enterprise T1560 Archive Collected Data

Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server. [15][16][11]

.002 Archive via Library

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.[16][11]

.003 Archive via Custom Method

A Lazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.[2][15][16][11]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Lazarus Group malware attempts to maintain persistence by saving itself in the Start menu folder or by adding a Registry Run key.[2][16][11]

.009 Boot or Logon Autostart Execution: Shortcut Modification

A Lazarus Group malware sample adds persistence on the system by creating a shortcut in the user’s Startup folder.[11]

.005 Boot or Logon Autostart Execution: Security Support Provider

Lazarus Group has rebooted victim machines to establish persistence by installing a SSP DLL.[14]

Enterprise T1110 .003 Brute Force: Password Spraying

Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.[2][16]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Lazarus Group malware uses cmd.exe to execute commands on victims.[2][9][11][17][14] A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.[18]

.005 Command and Scripting Interpreter: Visual Basic

Lazarus Group has used VBScript to gather information about a victim machine. [14]

.001 Command and Scripting Interpreter: PowerShell

Lazarus Group has used Powershell to download malicious payloads.[14]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Several Lazarus Group malware families install themselves as new services on victims.[2][9]

Enterprise T1485 Data Destruction

Lazarus Group has used a custom secure delete function to overwrite file contents with data from heap memory.[2]

Enterprise T1132 .001 Data Encoding: Standard Encoding

A Lazarus Group malware sample encodes data with base64.[11]

Enterprise T1005 Data from Local System

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Lazarus Group malware RomeoDelta copies specified directories from the victim's machine, then archives and encrypts the directories before uploading to its C2 server.[2][15][16] Lazarus Group has used wevtutil to export Window security event logs.[14]

Enterprise T1001 .003 Data Obfuscation: Protocol Impersonation

Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, evading SSL man-in-the-middle decryption attacks.[2][9][11][18]

Enterprise T1074 .001 Data Staged: Local Data Staging

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.[2][15]

Enterprise T1491 .001 Defacement: Internal Defacement

Lazarus Group replaced the background wallpaper of systems with a threatening image after rendering the system unbootable with a Disk Structure Wipe[4][9]

Enterprise T1587 .001 Develop Capabilities: Malware

Lazarus Group has developed several custom malware for use in operations.[10]

Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine and has possessed MBR wiper malware since at least 2009.[17][2]

.001 Disk Wipe: Disk Content Wipe

Lazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.[9]

Enterprise T1189 Drive-by Compromise

Lazarus Group delivered RATANKBA to victims via a compromised legitimate website.[19]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads.[2][9][11][18]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Lazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.[2][16]

Enterprise T1041 Exfiltration Over C2 Channel

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Another Lazarus Group malware sample also performs exfiltration over the C2 channel.[2][15][11]

Enterprise T1203 Exploitation for Client Execution

Lazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.[20]

Enterprise T1008 Fallback Channels

Lazarus Group malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again.[2][16]

Enterprise T1083 File and Directory Discovery

Several Lazarus Group malware samples use a common function to identify target files by their extension. Lazarus Group malware families can also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.[2][18]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Lazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.[11][12][13]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.[2][15][8][17]. During a 2019 intrusion, Lazarus Group disabled Windows Defender and Credential Guard as some of their first actions on host.[14]

.004 Impair Defenses: Disable or Modify System Firewall

Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. [2][15][8]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Lazarus Group malware deletes files in various ways, including "suicide scripts" to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim.[2][18][14]

.006 Indicator Removal on Host: Timestomp

Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.[2][9][15][18]

Enterprise T1105 Ingress Tool Transfer

Several Lazarus Group malware families are capable of downloading and executing binaries from its C2 server.[2][9][15][12][13]

Enterprise T1056 .001 Input Capture: Keylogging

Lazarus Group malware KiloAlfa contains keylogging functionality.[2][8]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

A Lazarus Group custom backdoor implant included a custom PE loader named "Security Package" that was added into the lsass.exe process via registry key.[14]

.005 Masquerading: Match Legitimate Name or Location

Lazarus Group has renamed the TAINTEDSCRIBE main executable to disguise itself as Microsoft's narrator.[21]

Enterprise T1112 Modify Registry

Lazarus Group has modified registry keys using the reg windows utility for its custom backdoor implants.[14]

Enterprise T1571 Non-Standard Port

Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.[2][16]

Enterprise T1027 Obfuscated Files or Information

Lazarus Group malware uses multiple types of encryption and encoding in its malware files, including AES, Caracachs, RC4, basic XOR with constant 0xA7, and other techniques.[2][15][16][11][13]

.002 Software Packing

Lazarus Group has used Themida to pack at least two separate backdoor implants.[14]

Enterprise T1588 .004 Obtain Capabilities: Digital Certificates

Lazarus Group has obtained SSL certificates for their C2 domains.[10]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Lazarus Group leveraged Mimikatz to extract Windows Credentials of currently logged-in users and steals passwords stored in browsers.[3] Lazarus Group has also used a custom version Mimikatz to capture credentials.[14]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Lazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents.[20]

.003 Phishing: Spearphishing via Service

Lazarus Group has used fake job advertisements sent via LinkedIn to spearphish victims.[14]

Enterprise T1542 .003 Pre-OS Boot: Bootkit

Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.[2][9]

Enterprise T1057 Process Discovery

Several Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by Lazarus Group also gathers process times.[2][15][11][18][13]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

A Lazarus Group malware sample performs reflective DLL injection.[11]

Enterprise T1090 .002 Proxy: External Proxy

Lazarus Group uses multiple proxies to obfuscate network traffic from victims.[22][13]

Enterprise T1012 Query Registry

Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt.[2][15][11]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Lazarus Group malware SierraCharlie uses RDP for propagation.[2][16]

.002 Remote Services: SMB/Windows Admin Shares

Lazarus Group malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement.[2][16]

Enterprise T1496 Resource Hijacking

Lazarus Group has subset groups like Bluenoroff who have used cryptocurrency mining software on victim machines.[4]

Enterprise T1489 Service Stop

Lazarus Group has stopped the MSExchangeIS service to render Exchange contents inaccessible to users.[9]

Enterprise T1218 .001 Signed Binary Proxy Execution: Compiled HTML File

Lazarus Group has used CHM files to move concealed payloads.[23]

.005 Signed Binary Proxy Execution: Mshta

Lazarus Group has used mshta.exe to run malicious scripts and download programs.[14]

Enterprise T1082 System Information Discovery

Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server.[2][9][15][11][18].

Enterprise T1016 System Network Configuration Discovery

Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.[2][15]

Enterprise T1033 System Owner/User Discovery

Various Lazarus Group malware enumerates logged-on users.[2][9][15][16][11][12]

Enterprise T1529 System Shutdown/Reboot

Lazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems.[17]

Enterprise T1124 System Time Discovery

A Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server.[18]

Enterprise T1204 .002 User Execution: Malicious File

Lazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.[20][14]

Enterprise T1047 Windows Management Instrumentation

Lazarus Group malware SierraAlfa uses the Windows Management Instrumentation Command-line application wmic to start itself on a target system during lateral movement.[2][16]

Software

ID Name References Techniques
S0584 AppleJeus [10] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Unix Shell, Create or Modify System Process: Launch Daemon, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Hide Artifacts: Hidden Files and Directories, Indicator Removal on Host: File Deletion, Obfuscated Files or Information, Phishing: Spearphishing Link, Scheduled Task/Job: Scheduled Task, Signed Binary Proxy Execution: Msiexec, Subvert Trust Controls: Code Signing, System Information Discovery, System Services: Launchctl, User Execution: Malicious File, User Execution: Malicious Link, Virtualization/Sandbox Evasion: Time Based Evasion
S0347 AuditCred [24] Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Process Injection, Proxy
S0245 BADCALL [25] Commonly Used Port, Data Obfuscation: Protocol Impersonation, Encrypted Channel: Symmetric Cryptography, Impair Defenses: Disable or Modify System Firewall, Modify Registry, Non-Standard Port, Proxy, System Information Discovery, System Network Configuration Discovery
S0239 Bankshot [20] Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Automated Collection, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Non-Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Exploitation for Client Execution, File and Directory Discovery, Indicator Removal on Host: Timestomp, Indicator Removal on Host, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Modify Registry, Native API, Non-Standard Port, Process Discovery, Query Registry, System Information Discovery
S0520 BLINDINGCAN [26] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, Phishing: Spearphishing Attachment, Shared Modules, Signed Binary Proxy Execution: Rundll32, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, User Execution: Malicious File
S0498 Cryptoistic [12] Data from Local System, Encrypted Channel, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Non-Application Layer Protocol, System Owner/User Discovery
S0497 Dacls [12][13] Application Layer Protocol: Web Protocols, Create or Modify System Process: Launch Daemon, Create or Modify System Process: Launch Agent, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Ingress Tool Transfer, Masquerading, Obfuscated Files or Information, Process Discovery
S0567 Dtrack [27] Archive Collected Data, Boot or Logon Autostart Execution, Browser Bookmark Discovery, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, File and Directory Discovery, Hijack Execution Flow, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Process Discovery, Process Injection: Process Hollowing, Query Registry, Shared Modules, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Valid Accounts
S0593 ECCENTRICBANDWAGON [28] Command and Scripting Interpreter: Windows Command Shell, Data Staged: Local Data Staging, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Obfuscated Files or Information, Screen Capture
S0181 FALLCHILL [22] Create or Modify System Process: Windows Service, Data Obfuscation: Protocol Impersonation, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Timestomp, System Information Discovery, System Network Configuration Discovery
S0246 HARDRAIN [29] Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Data Obfuscation: Protocol Impersonation, Impair Defenses: Disable or Modify System Firewall, Non-Standard Port, Proxy
S0376 HOPLIGHT [5] Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Data Encoding: Standard Encoding, Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Ingress Tool Transfer, Modify Registry, Non-Standard Port, OS Credential Dumping: Security Account Manager, Process Injection, Proxy, Query Registry, System Information Discovery, System Services: Service Execution, System Time Discovery, Use Alternate Authentication Material: Pass the Hash, Windows Management Instrumentation
S0431 HotCroissant [30] Application Window Discovery, Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: Hidden Window, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Native API, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, Process Discovery, Scheduled Task/Job: Scheduled Task, Screen Capture, Service Stop, Software Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery
S0271 KEYMARBLE [31] Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Modify Registry, Process Discovery, Screen Capture, System Information Discovery, System Network Configuration Discovery
S0002 Mimikatz [3] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0108 netsh [15] Event Triggered Execution: Netsh Helper DLL, Impair Defenses: Disable or Modify System Firewall, Proxy, Software Discovery: Security Software Discovery
S0238 Proxysvc [18] Application Layer Protocol: Web Protocols, Automated Collection, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Data Destruction, Data from Local System, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal on Host: File Deletion, Process Discovery, Query Registry, System Information Discovery, System Network Configuration Discovery, System Services: Service Execution, System Time Discovery
S0241 RATANKBA [32] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Ingress Tool Transfer, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Remote System Discovery, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Service Discovery, Windows Management Instrumentation
S0364 RawDisk [2][9] Data Destruction, Disk Wipe: Disk Structure Wipe, Disk Wipe: Disk Content Wipe
S0586 TAINTEDSCRIBE [21] Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Obfuscation: Protocol Impersonation, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information: Binary Padding, Process Discovery, Remote System Discovery, System Information Discovery, System Time Discovery
S0263 TYPEFRAME [33] Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Modify Registry, Non-Standard Port, Obfuscated Files or Information, Proxy, System Information Discovery, User Execution: Malicious File
S0180 Volgmer [34] Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Modify Registry, Native API, Obfuscated Files or Information, Process Discovery, Query Registry, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery
S0366 WannaCry [35][36][37][38] Create or Modify System Process: Windows Service, Data Encrypted for Impact, Encrypted Channel: Asymmetric Cryptography, Exploitation of Remote Services, File and Directory Discovery, File and Directory Permissions Modification: Windows File and Directory Permissions Modification, Hide Artifacts: Hidden Files and Directories, Inhibit System Recovery, Lateral Tool Transfer, Peripheral Device Discovery, Proxy: Multi-hop Proxy, Remote Service Session Hijacking: RDP Hijacking, Remote System Discovery, Service Stop, System Network Configuration Discovery, Windows Management Instrumentation

References

  1. US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.
  2. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  3. Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.
  4. GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.
  5. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  6. Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.
  7. Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.
  8. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
  9. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  10. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  11. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  12. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  13. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
  14. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  15. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  16. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  17. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
  18. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  19. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  1. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  2. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  3. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  4. GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.
  5. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  6. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  7. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  8. Kaspersky Global Research and Analysis Team. (2019, September 23). DTrack: previously unknown spy-tool by Lazarus hits financial institutions and research centers. Retrieved January 20, 2021.
  9. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
  10. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
  11. US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.
  12. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  13. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  14. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  15. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  16. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  17. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  18. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  19. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.