By Ismael Rocha: An advanced persistent threat(APT) works to access computer networks and systems without being detected or noticed. These threats, sometimes executed by a nation-state or a state-sponsored group, can steal private and secret information, damage IT systems and disrupt the functioning of vital systems. Defending against advanced persistent threats is a difficult task as they act stealthily and their intrusions can be difficult to recognize.
Brazil is a country with a wide variety of economic sectors, such as: education/research, financial, health, government/military, retail, energy, communication, technology, among others. These sectors move large amounts of money to governments and organizations, consequently arousing the interest of advanced threat groups. Thus, it is possible to note the great increase in cyber attacks for financial gain, access to secret and confidential files or disruption of the country by cybercriminals.
The hacking group known as the Lazarus Group is an advanced threat that utilizes sophisticated techniques to compromise computer networks and systems. They employ a variety of hacking techniques, including customized malware, phishing attacks, social engineering, and exploitation of security vulnerabilities. Some of the most frequently used techniques are described below:
- Custom malware, the group is known for developing its own malware to use in its attacks. They have created several malware families, including the Manuscrypt backdoor, the Fallchill trojan and the WannaCry ransomware.
- Phishing attacks, they also use phishing attacks to trick victims into clicking on malicious links or downloading infected files. Phishing emails may look legitimate and often include a link or attachment that, when clicked or downloaded, installs malware on the victim's computer.
- Social engineering, Lazarus is known to use social engineering techniques to gain access to victims' systems. This can include using false pretenses to obtain sensitive information such as passwords and usernames.
- Exploitation of security vulnerabilities, is well known for exploiting known security vulnerabilities in systems and software to gain unauthorized access to computer networks and systems.
The Lazarus group's targets include governments, companies and organizations around the world, from diverse sectors including finance, energy, cryptocurrencies and media. The group's motivations may vary, but in general, they seek to obtain confidential and financial information for their own benefit or for political purposes.
Lazarus Group operating mode
The Lazarus Group advanced threat attack chain typically involves several steps, including:
- Reconnaissance - The group collects information about the target through social engineering techniques, such as phishing, and collecting publicly available information on the internet.
- Delivery - After identifying their targets, the group uses various techniques to deliver their malicious payload, such as phishing, social engineering and exploiting vulnerabilities in outdated systems.
- Exploitation - Once the malicious payload is successfully delivered, the group uses exploitation techniques to gain access to the target's system. This may involve exploiting known software vulnerabilities, using previously installed backdoors, or other methods.
- Propagation - Within the system, the group spreads to other devices and systems within the target's network in order to ensure persistent access and maximize the impact of the attack.
- Information theft - The Lazarus Group's primary goal is to steal sensitive information such as intellectual property, trade secrets, personal data and financial information. The group uses advanced espionage techniques to steal this information and transfer it to their command and control servers.
- Malicious actions - The group can perform other malicious actions such as installing backdoors, creating user accounts with elevated privileges and exfiltrating data in order to maintain access and continue to steal information.
In summary, the Lazarus Group is a highly sophisticated group that utilizes a wide range of techniques to carry out its cyberattacks. The attack chain can vary depending on the specific target and the type of information the group is trying to steal, but in general, these steps are common to many of the group's attacks.
The group's main targets
It is important to note that the Lazarus group is known to target organizations around the world, and that this list of countries is not exhaustive. The group's motivations may vary, but in general, they seek to obtain confidential and financial information for their own benefit or for political purposes. Companies and organizations should take steps to protect their networks and systems from cyberattacks, regardless of their geographic location.
Techniques used in attacks
Lazarus Group is known to use a variety of malware tools and hacking techniques in its attacks, including:
- Backdoors - To maintain persistent access to compromised systems.
- RATs (Remote Access Trojans) - To remotely control compromised systems.
- Keyloggers - To steal login information and other sensitive information.
- Banking malware - To steal financial information and perform fraudulent transfers.
- Spear-phishing - To deliver your malware to targets.
- Custom malware - Lazarus Group is known for creating its own custom malware, including the Destover malware used in the 2014 Sony Pictures attack.
- Zero-days - The group is also known for using zero-day vulnerabilities in its attacks, which are unknown software vulnerabilities that have not yet been patched by manufacturers.
The group is highly sophisticated and constantly evolving, so it is likely that the group is using new tools and techniques that have not yet been identified by security researchers.
TTPs - MITRE ATT&CK
| Tactics | Technique | Details |
| Defense Evasion Privilege Escalation | T1134 | The Lazarus Group keylogger, KiloAlfa, obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserAs under the context of that user. |
| Discovery | T1087 | Query the compromised victim's active directory servers to obtain the list of employees, including administrator accounts. |
| Persistence | T1098 | The Lazarus Group malware, WhiskeyDelta-Two, contains a function that attempts to rename the administrator's account. |
| Resource Development | T1583 | Acquired domains related to their campaigns to act as distribution points and C2 channels. |
| Credential Access Collection | T1557 | Ran Responder using the command[Responder file path] -i[IP address] -rPve a compromised host to collect credentials and move laterally. |
| Command and Control | T1071 | Conducting C2 over HTTP and HTTPS. |
| Collection | T1560 | Compressed exfiltrated data with RAR and used the RomeoDelta malware to archive specific directories in .zip format, encrypt the .zip file and send it to C2. |
| Persistence Privilege Escalation | T1547 | Maintained persistence by loading malicious code into a startup folder or adding a key. |
| Credential Access | T1110 | The Lazarus Group malware attempts to connect to Windows shares for lateral movement using a generated list of usernames, which focus on permutations of the Administrator username and weak passwords. |
| Execution | T1059 | Using PowerShell to execute malicious commands and code. |
| Persistence Privilege Escalation | T1543 | Several malware families from the Lazarus Group install themselves as new services. |
| Impact | T1485 | Use of customized secure delete function to overwrite file contents with data from heap memory. |
| Collection | T1005 | Collection of data and files from compromised networks. |
| Command and Control | T1001 | It uses a unique form of communication encryption known as FakeTLS, which mimics TLS but uses a different encryption method, potentially avoiding inspection/decryption of SSL traffic. |
| Defense Evasion | T1140 | Use of shellcode within macros to manually decrypt and map DLLs and shellcode into memory at runtime. |
Indicators of Commitment (IoCs)
ISH Technology handles several Indicators of Commitment collected through open sources, closed sources and also through analysis performed by the Heimdall security team. In light of this, below we list all Indicators of Commitments (IOCs) related to the analysis of the artifact(s) in this report.
| Malicious/analyzed artifact compromise indicators | |
| md5: | aac5a52b939f3fe792726a13ff7a1747 |
| sha1: | f6760fb1f8b019af2304ea6410001b63a1809f1d |
| sha256: | cc307cfb401d1ae616445e78b610ab72e1c7fb49b298ea003dd26ea80372089a |
| File name: | sysnetd |
| Indicators of compromise ofmalicious/analyzedartifact | |
| md5: | 2ff1688fe866ec2871169197f9d46936 |
| sha1: | 6dc37ff32ea70cbd0078f1881a351a0a4748d10e |
| sha256: | b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9 |
| File name: | 524100.exe |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 38fc56965dccd18f39f8a945f6ebc439 |
| sha1: | 50736517491396015afdf1239017b9abd16a3ce9 |
| sha256: | 32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11 |
| File name: | sdchange.exe |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 5c0c1b4c3b1cfd455ac05ace994aed4b |
| sha1: | 69cda1f1adeeed455b519f9cf188e7787b5efa07 |
| sha256: | 8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520 |
| File name: | provthrd.dll |
| Malicious/analyzed artifact compromise indicators | |
| md5: | d2da675a8adfef9d0c146154084fff62 |
| sha1: | c55d080ea24e542397bbbfa00edc6402ec1c902c |
| sha256: | f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03 |
| File name: | d2da675a8adfef9d0c146154084fff62.virus |
| Malicious/analyzed artifact compromise indicators | |
| md5: | f315be41d9765d69ad60f0b4d29e4300 |
| sha1: | f60c2bd78436a14e35a7e85feccb319d3cc040eb |
| sha256: | fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5 |
| File name: | xwtpdui.dll |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 37505b6ff02a679e70885ccd60c13f3b |
| sha1: | 6402fafa0864460fea18a83ec4885bfe179734b2 |
| sha256: | 2fc71184be22ed1b504b75d7bde6e46caac0bf63a913e7a74c3b65157f9bf1df |
| File name: | Binance_Guide (1).doc |
Distribution URLs and C2 IP addresses:
| 109[.]248[.]150[.]13 |
| 192[.]186[.]183[.]133 |
| 54[.]68[.]42[.]4 |
| 84[.]38[.]133[.]145 |
| 104[.]155[.]149[.]103 |
| 40[.]121[.]90[.]194 |
| 185[.]29[.]8[.]162 |
| 46[.]183[.]221[.]109 |
| 84[.]38[.]133[.]145 |
Note: The links and IP addresses listed above may be active. Be careful when manipulating these IoCs, avoid clicking and becoming a victim of malicious content hosted on the IoC.
How to protect yourself from Lazarus Group
In addition to the indicators of commitment listed above, measures may be taken to mitigate against the threat, such as:
- Keep software up to date, make sure all your operating systems, applications and programs have the latest versions and regularly apply security updates made available by vendors. This helps to patch known vulnerabilities and reduce the attack surface.
- Use a reliable antivirus solution, install and keep updated robust antivirus software on all your devices. This will help detect and remove malware, including those used by Lazarus Group.
- Strengthen passwords, use strong and unique passwords for all your accounts and avoid reusing them. Consider using password managers to help remember and protect your credentials.
- Be aware of phishing, Lazarus Group often uses phishing emails to distribute malware. Therefore, be careful when opening attachments or clicking on links in suspicious emails. Always verify the authenticity of senders before providing sensitive information.
- Use two-factor authentication (2FA), enable two-factor authentication whenever possible, as this adds an extra layer of security by requiring a second form of authentication in addition to the password, such as a code sent to your mobile device.
- Back up regularly, perform periodic backups of your important data and make sure it is stored in secure locations and out of reach of cyber attacks. This will help minimize the damage caused by ransomware attacks or data loss.
- Educate users, train yourself and your staff on cybersecurity best practices, such as recognizing signs of a phishing attack, avoiding downloading suspicious files, and maintaining caution when browsing the internet.
- Monitor suspicious activity, be aware of any unusual activity on your systems, such as abnormal behavior or suspicious network traffic. Use monitoring and intrusion detection tools to identify potential compromises.
- Establish a security policy, implement clear and strict security policies in your organization. This includes restrictions on access to sensitive information, use of personal devices and guidelines for handling security incidents.
References
- Heimdall by ISH Technology
- Mandiant
- Malwarebytes
- thehackernews