Group: Lazarus Group, HIDDEN COBRA, ...

From enterprise
Jump to: navigation, search
Lazarus Group, HIDDEN COBRA, ...
Group
ID G0032
Aliases Lazarus Group, HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY

Lazarus Group is a threat group that has been attributed to the North Korean government.1 The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.2

Alias Descriptions

  • Lazarus Group - 2
  • HIDDEN COBRA - 1
  • Guardians of Peace - 1
  • ZINC - 3
  • NICKEL ACADEMY - 4

Techniques Used

  • File Deletion - Lazarus Group malware contains "suicide scripts" to delete malware binaries from the victim. It also uses secure file deletion to delete files from the victim.2
  • Timestomp - Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.85
  • Application Window Discovery - Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process.5 The KilaAlfa keylogger also reports the title of the window in the foreground.9
  • System Network Configuration Discovery - Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.5
  • Query Registry - Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop.5 Another Lazarus Group malware sample checks for the presence of the following Registry key:HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt.7
  • Data Compressed - Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.5 Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server.6
  • Data Encrypted - Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.5 Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server.6 A Lazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.7
  • Data Staged - Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.5
  • Data from Local System - Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers.5 Lazarus Group malware RomeoDelta copies specified directories from the victim's machine, then archives and encrypts the directories before uploading to its C2 server.6
  • Multiband Communication - Some Lazarus Group malware uses multiple channels for C2, such as RomeoWhiskey-Two, which consists of a RAT channel that parses data in datagram form and a Proxy channel that forms virtual point-to-point sessions.6
  • Fallback Channels - Lazarus Group malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again.6
  • Brute Force - Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.6
  • Commonly Used Port - Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes commonly used ports such as 443, 53, 80, 25, and 8080.6
  • Uncommonly Used Port - Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes uncommonly used ports such as 995, 1816, 465, 1521, 3306, and many others.6
  • Bootkit - Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.8

Software

References