Lazarus Group

Lazarus Group is a threat group that has been attributed to the North Korean government. [1] The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. [2] In late 2017, Lazarus Group used KillDisk, a disk-wiping tool, in an attack against an online casino based in Central America. [3]

ID: G0032
Aliases: Lazarus Group, HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY
Version: 1.0

Alias Descriptions

NameDescription
Lazarus Group[2]
HIDDEN COBRA[1]
Guardians of Peace[1]
ZINC[15]
NICKEL ACADEMY[16]

Techniques Used

DomainIDNameUse
EnterpriseT1134Access Token ManipulationLazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserA under that user's context.[2][4]
EnterpriseT1098Account ManipulationLazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account.[2][5]
EnterpriseT1010Application Window DiscoveryLazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground.[2][6][4]
EnterpriseT1067BootkitLazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.[2][5]
EnterpriseT1110Brute ForceLazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.[2][7]
EnterpriseT1059Command-Line InterfaceLazarus Group malware uses cmd.exe to execute commands on victims.[2][5][8][9]
EnterpriseT1043Commonly Used PortSome Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes commonly used ports such as 443, 53, 80, 25, and 8080.[2][7]
EnterpriseT1223Compiled HTML FileLazarus Group has used CHM files to move concealed payloads as part of.[10]
EnterpriseT1090Connection ProxyLazarus Group uses multiple proxies to obfuscate network traffic from victims.[11]
EnterpriseT1003Credential DumpingLazarus Group leveraged Mimikatz to extract Windows Credentials of currently logged-in users and steals passwords stored in browsers.[3]
EnterpriseT1024Custom Cryptographic ProtocolSeveral Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, evading SSL man-in-the-middle decryption attacks.[2][5][8][12]
EnterpriseT1002Data CompressedLazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server. Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server.[2][6][7]
EnterpriseT1132Data EncodingA Lazarus Group malware sample encodes data with base64.[8]
EnterpriseT1022Data EncryptedLazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server. Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server. A Lazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.[2][6][7][8]
EnterpriseT1005Data from Local SystemLazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Lazarus Group malware RomeoDelta copies specified directories from the victim's machine, then archives and encrypts the directories before uploading to its C2 server.[2][6][7]
EnterpriseT1074Data StagedLazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.[2][6]
EnterpriseT1089Disabling Security ToolsVarious Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.[2][6][4][9]
EnterpriseT1189Drive-by CompromiseLazarus Group delivered RATANKBA to victims via a compromised legitimate website.[13]
EnterpriseT1048Exfiltration Over Alternative ProtocolLazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.[2][7]
EnterpriseT1041Exfiltration Over Command and Control ChannelLazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Another Lazarus Group malware sample also performs exfiltration over the C2 channel.[2][6][8]
EnterpriseT1203Exploitation for Client ExecutionLazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.[14]
EnterpriseT1008Fallback ChannelsLazarus Group malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again.[2][7]
EnterpriseT1083File and Directory DiscoverySeveral Lazarus Group malware samples use a common function to identify target files by their extension. Lazarus Group malware families can also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.[2][12]
EnterpriseT1107File DeletionLazarus Group malware deletes files in various ways, including "suicide scripts" to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim. Additionally, Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine.[2][12][9]
EnterpriseT1158Hidden Files and DirectoriesA Lazarus Group VBA Macro sets its file attributes to System and Hidden.[8]
EnterpriseT1056Input CaptureLazarus Group malware KiloAlfa contains keylogging functionality.[2][4]
EnterpriseT1026Multiband CommunicationSome Lazarus Group malware uses multiple channels for C2, such as RomeoWhiskey-Two, which consists of a RAT channel that parses data in datagram form and a Proxy channel that forms virtual point-to-point sessions.[2][7]
EnterpriseT1050New ServiceSeveral Lazarus Group malware families install themselves as new services on victims.[2][5]
EnterpriseT1027Obfuscated Files or InformationLazarus Group malware uses multiple types of encryption and encoding in its malware files, including AES, Caracachs, RC4, basic XOR with constant 0xA7, and other techniques.[2][6][7][8]
EnterpriseT1057Process DiscoverySeveral Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by Lazarus Group also gathers process times.[2][6][8][12]
EnterpriseT1055Process InjectionA Lazarus Group malware sample performs reflective DLL injection.[8]
EnterpriseT1012Query RegistryLazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt.[2][6][8]
EnterpriseT1060Registry Run Keys / Startup FolderLazarus Group malware attempts to maintain persistence by saving itself in the Start menu folder or by adding a Registry Run key.[2][7][8]
EnterpriseT1076Remote Desktop ProtocolLazarus Group malware SierraCharlie uses RDP for propagation.[2][7]
EnterpriseT1105Remote File CopySeveral Lazarus Group malware families are capable of downloading and executing binaries from its C2 server.[2][5][6]
EnterpriseT1064ScriptingA Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.[12]
EnterpriseT1023Shortcut ModificationA Lazarus Group malware sample adds persistence on the system by creating a shortcut in the user’s Startup folder.[8]
EnterpriseT1193Spearphishing AttachmentLazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents.[14]
EnterpriseT1071Standard Application Layer ProtocolA Lazarus Group malware sample conducts C2 over HTTP.[8]
EnterpriseT1032Standard Cryptographic ProtocolLazarus Group malware uses Caracachs encryption to encrypt C2 payloads.[2]
EnterpriseT1082System Information DiscoverySeveral Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server.[2][5][6][8][12]
EnterpriseT1016System Network Configuration DiscoveryLazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.[2][6]
EnterpriseT1033System Owner/User DiscoveryVarious Lazarus Group malware enumerates logged-on users.[2][5][6][7][8]
EnterpriseT1124System Time DiscoveryA Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server.[12]
EnterpriseT1099TimestompSeveral Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.[2][5][6][12]
EnterpriseT1065Uncommonly Used PortSome Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes uncommonly used ports such as 995, 1816, 465, 1521, 3306, and many others.[2][7]
EnterpriseT1204User ExecutionLazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.[14]
EnterpriseT1077Windows Admin SharesLazarus Group malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement.[2][7]
EnterpriseT1047Windows Management InstrumentationLazarus Group malware SierraAlfa uses the Windows Management Instrumentation Command-line application wmic to start itself on a target system during lateral movement.[2][7]

Software

IDNameTechniques
S0245BADCALLCommonly Used Port, Connection Proxy, Custom Cryptographic Protocol, Disabling Security Tools, Modify Registry, System Information Discovery, System Network Configuration Discovery
S0239BankshotAccess Token Manipulation, Account Discovery, Automated Collection, Command-Line Interface, Data Encoding, Data from Local System, Data Obfuscation, Deobfuscate/Decode Files or Information, Execution through API, Exfiltration Over Command and Control Channel, Exploitation for Client Execution, File and Directory Discovery, File Deletion, Indicator Removal on Host, Modify Existing Service, Modify Registry, Process Discovery, Query Registry, Remote File Copy, Standard Application Layer Protocol, System Information Discovery, Timestomp, Uncommonly Used Port
S0181FALLCHILLCustom Cryptographic Protocol, File and Directory Discovery, File Deletion, System Information Discovery, System Network Configuration Discovery, Timestomp
S0246HARDRAINCommand-Line Interface, Commonly Used Port, Connection Proxy, Custom Cryptographic Protocol, Disabling Security Tools
S0271KEYMARBLECommand-Line Interface, Commonly Used Port, Custom Cryptographic Protocol, File and Directory Discovery, File Deletion, Modify Registry, Process Discovery, Remote File Copy, Screen Capture, System Information Discovery, System Network Configuration Discovery
S0002MimikatzAccount Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0108netshConnection Proxy, Disabling Security Tools, Netsh Helper DLL, Security Software Discovery
S0238ProxysvcAutomated Collection, Command-Line Interface, Commonly Used Port, Data from Local System, Exfiltration Over Command and Control Channel, File and Directory Discovery, File Deletion, Process Discovery, Query Registry, Scripting, Service Execution, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Time Discovery
S0241RATANKBAAccount Discovery, Command-Line Interface, Commonly Used Port, PowerShell, Process Discovery, Process Injection, Query Registry, Remote File Copy, Remote System Discovery, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Service Discovery, Windows Management Instrumentation
S0263TYPEFRAMECommand-Line Interface, Commonly Used Port, Connection Proxy, Custom Command and Control Protocol, Deobfuscate/Decode Files or Information, Disabling Security Tools, File and Directory Discovery, File Deletion, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Remote File Copy, Scripting, System Information Discovery, Uncommonly Used Port, User Execution
S0180VolgmerCommand-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Data Encoding, Deobfuscate/Decode Files or Information, Execution through API, File and Directory Discovery, File Deletion, Masquerading, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Discovery, Query Registry, Remote File Copy, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, Uncommonly Used Port

References