In this paper we summarize the crucial links that played a role in these major cases. There are several static features that vary between the instances: dynamic Windows API resolution and the obfuscation of procedure and library names, the form of self-deleting batch files, the list of domains leveraged for fake TLS communication, the format strings included in TCP backdoors, the use of commercial packers, etc. The variety is so huge that it suggests that the Lazarus group may be split into multiple, independent, code-sharing cells. Our research investigates this idea further by exploring the undocumented PE Rich Header metadata, which once again indicates that there are various development environments producing the malicious binaries.
There are also several binaries from the Lazarus toolset that have not been publicly reported. Our study of these samples adds some interesting findings to the Lazarus puzzle: the very first iteration of WannaCryptor from , in-the-wild experimentation with the malicious Java downloaders targeting multiple platforms, the use of a custom malware packer, and the presence of strange artifacts like Chinese language or South Korean cultural references.
This paper will present previously unpublished details about the cyber-sabotage attack against an online casino in Central America from late , and we will reveal the modus operandi of the Lazarus cell that was behind that attack. The activity of Lazarus toolset components can be traced back as far as Several typical Lazarus backdoors were uploaded to VirusTotal that year, e. The first mention of Lazarus at a Virus Bulletin conference was also in , when Bartholomew and Guerrero-Saade of Kaspersky Lab described the pseudo-hacktivism tendencies of two famous Lazarus attacks [ 3 ].
Since , especially after the WannaCryptor outbreak, the number of Lazarus-related reports has proliferated. In this paper, we summarize the crucial fingerprints that led malware researchers to attribute the famous cases to the group, and discuss the main characteristics that have helped us to ascribe further samples to the group.
Finally, we show six suspected Lazarus-related cases that we believe are not widely known. Lazarus Group first came into the spotlight in , when reports about two of their campaigns in South Korea were published for the first time. The long-term campaign called Operation Troy was a cyber espionage operation against South Korean armed forces and government targets, and ran between the years and The second of these campaigns, called DarkSeoul, occurred in and mainly targeted the South Korean financial sector.
Binaries involved in these operations often preserved symbol paths 1 — details can be found in [ 5 , 6 ].
Sony Pictures Entertainment went through a very tough period in , when the company was the victim of one of the most destructive cyber attacks against a commercial entity to date. The attack caused major damage to the company, and many of its internal files and documents were stolen, leaked or deleted.
The new attacks were tied to Lazarus by the re-use of self-deleting batch files, format strings in the TCP backdoors, dynamic API loading routines, obfuscation of function names, and the use of fake TLS communications. Claims of similarity between this and Operation Blockbuster were based on many relatively weak details, with the characteristics of self-deleting batch files and shared code chunks being the most relevant [ 12 ]. Hot news about successful attacks against Polish banks appeared in February on the Polish security portal ZaufanaTrzeciaStrona.
The link to the Lazarus Group was made through a part of the self-deleting batch files, through the encrypted strings involved in the dynamic API loading routines Table 1 , which were all shared with earlier Lazarus spreading tools, and through the fact that a victim reported the presence of an already Lazarus-attributed file. The threat was distributed via a watering hole attack, wherein a trusted but compromised website redirected to a landing page booby-trapped with a non-zero-day exploit. We presented our findings relating to the technical details of the until-then minimally documented malware on WeLiveSecurity [ 17 ].
Another interesting discovery in this case was a backdoor with an unusual feature in how it parsed commands from operators.
FASTCash: How the Lazarus Group is Emptying Millions from ATMs | Symantec Blogs
The operators were using commands in Russian, presented in a translit — a method of encoding Cyrillic letters into Latin ones. This language choice is considered a false flag for various reasons. One is that malware authors usually implement commands via numbers or English shortcuts.
On 12 May much of the world was shaken when the Lazarus Group launched its large-scale ransomware cyber attack, WannaCryptor. WannaCry, WCrypt. The malware was spread using an exploit called EternalBlue that had been made public a month prior to the attack. While Microsoft had released a patch for the exploit nearly two months before the attack, many systems remained unpatched, and that, essentially, was the reason the outbreak was so huge. The damages caused by the attack were enormous and had real-life consequences all around the world, disrupting many crucial systems and services including many hospitals in the United Kingdom.
The incident has been covered countless times, e. WannaCryptor had a longer evolution than originally thought. Just a few weeks before the outbreak, an almost identical ransomware executable was spread via SMB brute-forcing, but it had minimal impact and therefore stayed under the radar. The in-the-wild name of a dropper encapsulating that earlier variant was usually taskhcst. Even earlier that year, on 10 February, a dropper called taskschs. It contained a ransom payload named taskmsgr. It highlighted similarities in two files: the beta version of WannaCryptor and an older Lazarus backdoor from , the two sharing unique hexadecimal strings in their code sections.
Please review our terms of service to complete your newsletter subscription.
In late , the Lazarus Group launched various cryptocurrency attacks that stole bitcoin from many South Korean users and also eventually hacked and bankrupted a South Korean cryptocurrency exchange [ 22 ]. The overall picture of the Lazarus modus operandi remained the same: decoy documents in Korean and the payload being executed in a cascade with multiple stages, the final one being a backdoor supporting several commands.
- Lazarus Group Update - X-Industry - Red Sky Alliance;
- A Look into the Lazarus Group’s Operations - Security News - Trend Micro USA.
- Home - Operation Blockbuster | Novetta Threat Research & Interdiction Group;
- How To Reduce Anxiety – How To Relieve Anxiety?
- Introduction to the Design and Behavior of Bolted Joints, Fourth Edition: Non-Gasketed Joints (Mechanical Engineering);
In early , another bitcoin-stealing campaign called HaoBao was disclosed [ 24 ]. However, there were no obvious static links present in the implants and they were compiled with Visual Studio From our point of view, that places this campaign off-centre from the usual modus operandi. In March , McAfee reported the reappearance of the Bankshot implant, a spear-phishing campaign against Turkish financial institutions [ 25 ]. The malware was an HTTP backdoor supporting 27 commands.
- The Lost Prince;
- International Operation SoF – LAZARUS UNION;
- A Look into the Lazarus Group’s Operations?
- Poppys Awakening (The Poppy Trilogy Book 1).
- The Dragon Hunters.
- Home in the City: Urban Aboriginal Housing and Living Conditions.
The attribution of this toolkit was immediate, based on its overall functionality. More details about related attacks can be found in [ 26 , 27 , 28 ]. We have collected a list of the main characteristics that can be used to identify a sample from the Lazarus toolset. Besides the characteristics described in the following subsections, the samples were double-checked for additional signs that could link them to the Lazarus toolset, e. Figure 1 shows a typical initial stage of a multi-staged Lazarus malware attack the property of being multi-staged is the invisible 1 : a console application accepting several parameters 2 that has its Windows APIs resolved at the start 3 and drops the additional stages from the resources 4 using an RC4-like stream cipher Spritz.
Figure 1: Decompiled pseudo-code of the dropper from the Polish bank attacks.
The technique is very typical and has already been described [ 2 , p. The table is not complete, e. In those cases, the variation of the decryption keys led to many different types that would make the table unreadable. A relatively simple TCP backdoor supporting tens of commands is another of the chord-striking traits of Lazarus malware. The commands are usually indexed by consecutive integers.
Operation AppleJeus and OSX/Lazarus: Rise of a Mac APT
One of them is an execution in the command line see Figure 2 , where the action is basically the execution of the console command cmd. We have found a number of methods the Lazarus Group uses to format the string; these are shown in Appendix B. Occasionally, the formatting of the console command cmd. Figure 2: The commands of a backdoor indexed by integers. TLS protocol spoofing has been observed several times as a way to increase the stealthiness of malicious network communication. How the attackers gain control of these accounts remains unclear.
It is possible the attackers are opening the accounts themselves and making withdrawal requests with cards issued to those accounts. Another possibility is the attackers are using stolen cards to perform the attacks. In all reported FASTCash attacks to date, the attackers have compromised banking application servers running unsupported versions of the AIX operating system, beyond the end of their service pack support dates.
Lazarus is a very active group involved in both cyber crime and espionage.
Lazarus was initially known for its involvement in espionage operations and a number of high-profile disruptive attacks, including the attack on Sony Pictures that saw large amounts of information being stolen and computers wiped by malware. In recent years, Lazarus has also become involved in financially motivated attacks.
Lazarus was also linked to the WannaCry ransomware outbreak in May Within hours of its release, WannaCry had infected hundreds of thousands of computers worldwide. The recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus group and can now be considered one of its core activities. As with the series of virtual bank heists, including the Bangladesh Bank heist, FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks.
In short, Lazarus continues to pose a serious threat to the financial sector and organizations should take all necessary steps to ensure that their payment systems are fully up to date and secured. Organizations should ensure that operating systems and all other software are up to date.
Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers. The Attack Investigation Team is a group of security experts within Symantec Security Response whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis which helps customers respond to attacks.
Security Response Attack Investigation Team.