Group: Lazarus Group

From ATT&CK
Jump to: navigation, search
Lazarus Group
Group
ID G0032
Aliases Lazarus Group

Lazarus Group is a threat group that has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment. It was responsible for a campaign known as Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.1

Techniques Used

  • Obfuscated Files or Information - Lazarus Group malware uses multiple types of encryption and encoding in its malware files, including AES, Caracachs, RC4, basic XOR with constant 0xA7, and other techniques.123
  • Custom Command and Control Protocol - Lazarus Group malware uses a unique form of communication encryption that mimics TLS but uses a different encryption method, evading SSL man-in-the-middle decryption attacks.1
  • File Deletion - Lazarus Group malware contains "suicide scripts" to delete malware binaries from the victim. It also uses secure file deletion to delete files from the victim.1
  • File and Directory Discovery - Several Lazarus Group malware samples use a common function to identify target files by their extension. Lazarus Group malware families also enumerate files and directories on lettered drives.1
  • New Service - Several Lazarus Group malware families install themselves as new services on victims.4
  • System Information Discovery - Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information.42
  • Timestomp - Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.42
  • Credential Manipulation - Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account.4
  • Custom Cryptographic Protocol - Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation.4
  • Remote File Copy - Several Lazarus Group malware families are capable of downloading and executing binaries from its C2 server.42
  • Disabling Security Tools - Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. 2 5 Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee.5
  • Process Discovery - Several Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server.2
  • Application Window Discovery - Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process.2 The KilaAlfa keylogger also reports the title of the window in the foreground.5
  • Local Network Configuration Discovery - Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.2
  • Query Registry - Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop.2
  • Data Compressed - Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.2 Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server.3
  • Data Encrypted - Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.2 Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server.3
  • Data Staged - Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.2
  • Data from Local System - Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers.2 Lazarus Group malware RomeoDelta copies specified directories from the victim's machine, then archives and encrypts the directories before uploading to its C2 server.3
  • Input Capture - Lazarus Group malware KiloAlfa contains keylogging functionality.5
  • Multiband Communication - Some Lazarus Group malware uses multiple channels for C2, such as RomeoWhiskey-Two, which consists of a RAT channel that parses data in datagram form and a Proxy channel that forms virtual point-to-point sessions.3
  • Windows Admin Shares - Lazarus Group malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement.3
  • Windows Management Instrumentation - Lazarus Group malware SierraAlfa uses the Windows Management Instrumentation Command-line application wmic to start itself on a target system during lateral movement.3
  • Fallback Channels - Lazarus Group malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again.3
  • System Owner/User Discovery - Lazarus Group malware SierraAlfa and WhiskeyAlfa-Three enumerate logged-on users. Lazarus Group malware IndiaIndia collects the victim's username and sends it to the C2 server.2

34

  • Brute Force - Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.3
  • Commonly Used Port - Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes commonly used ports such as 443, 53, 80, 25, and 8080.3
  • Uncommonly Used Port - Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes uncommonly used ports such as 995, 1816, 465, 1521, 3306, and many others.3
  • Bootkit - Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.4

Software