Lexfo: Lazarus is a North Korea’s APT involved in many acts of cyber warfare: from cyber terrorism and vandalism to the destruction of data and / or distributed denial of service
Lazarus North Korea’s hackers are one of the top APTs, involved in many acts of cyber warfare: from cyber terrorism and vandalism to the destruction of data and / or distributed denial of service. Lexfo cyber security experts analyzed in depth the group’s galaxy: malware, motives, subgroups, and detection and mitigation, through their techniques, tactics, procedures (TTPs). The targets are very disparate, as the ATP has very diverse motives: intelligence, financial gains and disruption. Lazarus and its subgroups have been focusing on attacking governments, financial institutions, defense industry actors, IT and videogame companies. Geographically, most targets are located in South Korea and in South America.
The malicious hackers TTPs
Lazarus is well-funded and able to discretely maintain persistence in networks for years. The North Kore’s hackers adapt very fast, fighting against forensic investigators in real-time by repacking malware, erasing files or modifying encryption keys and algorithms in less than an hour after being discovered. Furthermore, they have been leveraging many 0day vulnerabilities they bought or developed on their own throughout the years. Cyber security experts believe that inside the APT’s galaxy, the Bluenoroff subgroup is supposedly in charge of financing the whole ecosystem through big money heists. Moreover, Pyongyang hackers are able to quickly develop custom malware for each target. They have also been seen using malware from other criminal groups, particularly ransomware, to make attribution harder and cover their tracks. Recently, a new specific malware toolset was used by Lazarus in different attacks.
The cyber security experts revealed that the group has some recurring patterns in the way it operates
Lexfo, however, revealed that Lazarus has some recurring patterns in the way the group operates. These patterns have not changed much since their first attacks.
- Intrusion through spear phishing, watering hole, bruteforce or web vulnerabilities Network discovery using custom or publicly-available tools;
- Gathering credentials through Mimikatz-like tools and keyloggers Lateral movements using custom or publicly-available tools Fulfilling the attack goal: stealing money and/or information;
- Covering tracks by wiping systems or infecting the victims with crimeware malware or ransomware.
The behaviour of the malware
Moreover, the North Korea APT’s malware usually have the following patterns:
- Command-line malware and tools,
- Designed to be run as Svchost services (for persistence) API are loaded dynamically.
Lazarus developers usually forget to strip the PDB path from compiled binaries, even when they disclose valuable information such as what the malware does, its goal, or even the developer’s name. Their malware often use a communication protocol that has been named “Fake TLS” for communications. It makes malicious packets look like legitimate TLS handshakes and communications might stay under the radar due to heavy TLS traffic on port 443. This protocol can be found in most of the North Korea’s hackers malicious code. It is however hard to detect with Snort and Suricata rules considering the huge stream of TLS/SSL packets to monitor, which explains why it has been consistently used for years by the attackers.
Detection and mitigation techniques
North Korean groups have been exploiting a lot of vulnerabilities, such as 0days and as 1days. Most exploits target Adobe Flash Player as well as the Hangul Word Processor, though groups like Andariel have also been seen finding and exploiting vulnerabilities in specific corporate software. In particular, Lazarus and its subgroups Andariel and Bluenoroff often rely on software vulnerabilities to infect their targets. So, it is necessary to make sure all exposed servers and their components are up-to-date and isolated from the internal networks of the organizations. Also is important auditing software used internally. Finally, to mitigate the lateral movements, log analysis is good. Especially, as Lazarus implants usually achieve persistent by installing services, event id 7045 and 4697 with the Service Start Type information set to SERVICE_AUTO_START must be closely monitored.