Lazarus Group is a threat group that has been attributed to the North Korean government. The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.  In late 2017, Lazarus Group used KillDisk, a disk-wiping tool, in an attack against an online casino based in Central America. 
North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.
Associated Group Descriptions
|Guardians of Peace|
|Enterprise||T1134||.002||Access Token Manipulation: Create Process with Token|
|Enterprise||T1583||.001||Acquire Infrastructure: Domains|
|.006||Acquire Infrastructure: Web Services|
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|Enterprise||T1010||Application Window Discovery||
Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground.
|Enterprise||T1560||Archive Collected Data|
|.002||Archive via Library|
|.003||Archive via Custom Method|
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|
|.005||Boot or Logon Autostart Execution: Security Support Provider|
|.009||Boot or Logon Autostart Execution: Shortcut Modification|
|Enterprise||T1110||.003||Brute Force: Password Spraying||
Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.
|Enterprise||T1059||.001||Command and Scripting Interpreter: PowerShell|
|.003||Command and Scripting Interpreter: Windows Command Shell||
Lazarus Group malware uses cmd.exe to execute commands on victims. A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.
|.005||Command and Scripting Interpreter: Visual Basic|
|Enterprise||T1543||.003||Create or Modify System Process: Windows Service|
|Enterprise||T1132||.001||Data Encoding: Standard Encoding|
|Enterprise||T1005||Data from Local System||
Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Lazarus Group malware RomeoDelta copies specified directories from the victim's machine, then archives and encrypts the directories before uploading to its C2 server. Lazarus Group has used wevtutil to export Window security event logs.
|Enterprise||T1001||.003||Data Obfuscation: Protocol Impersonation||
Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, evading SSL man-in-the-middle decryption attacks.
|Enterprise||T1074||.001||Data Staged: Local Data Staging|
|Enterprise||T1491||.001||Defacement: Internal Defacement|
|Enterprise||T1587||.001||Develop Capabilities: Malware|
|Enterprise||T1561||.001||Disk Wipe: Disk Content Wipe||
Lazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.
|.002||Disk Wipe: Disk Structure Wipe|
|Enterprise||T1573||.001||Encrypted Channel: Symmetric Cryptography||
Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads.
|Enterprise||T1048||.003||Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol|
|Enterprise||T1041||Exfiltration Over C2 Channel||
Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Another Lazarus Group malware sample also performs exfiltration over the C2 channel.
|Enterprise||T1203||Exploitation for Client Execution|
|Enterprise||T1083||File and Directory Discovery||
Several Lazarus Group malware samples use a common function to identify target files by their extension. Lazarus Group malware families can also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.
|Enterprise||T1564||.001||Hide Artifacts: Hidden Files and Directories|
|Enterprise||T1562||.001||Impair Defenses: Disable or Modify Tools||
Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.. During a 2019 intrusion, Lazarus Group disabled Windows Defender and Credential Guard as some of their first actions on host.
|.004||Impair Defenses: Disable or Modify System Firewall|
|Enterprise||T1070||.004||Indicator Removal on Host: File Deletion||
Lazarus Group malware deletes files in various ways, including "suicide scripts" to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim.
|.006||Indicator Removal on Host: Timestomp||
Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.
|Enterprise||T1105||Ingress Tool Transfer|
|Enterprise||T1056||.001||Input Capture: Keylogging|
|Enterprise||T1036||.004||Masquerading: Masquerade Task or Service|
|.005||Masquerading: Match Legitimate Name or Location|
|Enterprise||T1027||Obfuscated Files or Information|
|Enterprise||T1588||.004||Obtain Capabilities: Digital Certificates|
|Enterprise||T1003||.001||OS Credential Dumping: LSASS Memory||
Lazarus Group leveraged Mimikatz to extract Windows Credentials of currently logged-in users and steals passwords stored in browsers. Lazarus Group has also used a custom version Mimikatz to capture credentials.
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment|
|.003||Phishing: Spearphishing via Service|
|Enterprise||T1542||.003||Pre-OS Boot: Bootkit|
Several Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by Lazarus Group also gathers process times.
|Enterprise||T1055||.001||Process Injection: Dynamic-link Library Injection|
|Enterprise||T1090||.002||Proxy: External Proxy|
Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:
|Enterprise||T1021||.001||Remote Services: Remote Desktop Protocol|
|.002||Remote Services: SMB/Windows Admin Shares|
|Enterprise||T1218||.001||Signed Binary Proxy Execution: Compiled HTML File|
|.005||Signed Binary Proxy Execution: Mshta|
|Enterprise||T1082||System Information Discovery||
Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server..
|Enterprise||T1016||System Network Configuration Discovery||
Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.
|Enterprise||T1033||System Owner/User Discovery|
|Enterprise||T1124||System Time Discovery|
|Enterprise||T1204||.002||User Execution: Malicious File|
|Enterprise||T1047||Windows Management Instrumentation|
- US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.
- GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.
- US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
- Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.
- Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
- Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
- Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
- Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
- Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
- F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
- US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
- Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
- Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
- Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
- USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
- US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
- GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.
- Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
- US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
- US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
- Kaspersky Global Research and Analysis Team. (2019, September 23). DTrack: previously unknown spy-tool by Lazarus hits financial institutions and research centers. Retrieved January 20, 2021.
- Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
- US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
- US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.
- US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
- Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
- US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
- US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
- Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
- Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.