The Lazarus Group is a Cyber Offensive wing, of either a State Sponsored or may be otherwise of North Korean origin. The Lazarus Group is known to be notorious and has always been under the scanner of US FBI and US Treasury Department. This group is known to bring together hackers who are of the highest black-hat community and those that deliberately target cryptocurrency exchanges, Government Entities, Critical Infrastructure, DeFi protocols and games Play-to-Earn, other than any lucrative Institutions. The targets are not only individual users, but also State-owned entities. This Group have also reported to have been scanning the Indian Infra, since 2020, to exploit vulnerable government enterprises.
India has also been a victim of this group in many reported incidents of the past. In the shadow of the global attack by the Lazarus Group as part of the Sony Picture hack of 2014, and the million-dollar Bangladesh Bank heist in 2016; a number of compromised servers being used as part of the threat actor’s global command and control infrastructure, were detected in Indonesia, India, Bangladesh, Malaysia, Vietnam, South Korea, Taiwan, and Thailand, among others, which the researchers had identified during their detailed prodding.
In August/September of year 2019, the Lazarus Group had also reported to have targeted the administrative network of the Kudankulam Nuclear Power Plant (Click to view earlier article), through a Malware infection. Authorities then, from the Nuclear Power Corporation of India Limited (NPCIL) had admitted that the malware, may have its origin from the Lazarus Group. The attackers used malware called DTrack, which is a tool commonly employed by the Lazarus Group. The fact that the intrusion was found accidentally could mean the hackers didn’t want to make their presence known. It is unclear whether any information was stolen during the Kudankulam Nuclear Power Plant. Yet the very penetration was speculated by NTRO even earlier to the attack and in the subsequent Incident Response, CERT-In has confirmed the intrusion attempt and its attribution to the Lazarus Group.
Reports from the US Government Machinery, have confirmed the newer and refreshed capabilities of crypto hacking technique unveiled among others of the Lazarus Group. lately the hacking of the Ronin Bridge (Axie Infinity) that was undertaken by the group in March 2022, was highlighted by the US Government. The Ronin bridge that was used for the for popular crypto game Axie Infinity was completely halted after the security breach was discovered, almost a week after it took place. Approximately $625 million worth of cryptocurrency was stolen from Ronin (which is also the blockchain platform that powers Axie Infinity). Blockchain bridges are connectors that allow different chains and web3 products to interact with each other. The attack was focused on the bridge between Axie Infinity and Ronin, which is why the bridge was disconnected. However, the developers have said that the “axie” tokens, which are used to play Axie Infinity, haven’t been compromised. The SLP and AXS currencies used in the game are safe as well, according to the devs (the service provider).
A thorough investigation was launched by the Government agencies of US including the FBI and it was revealed that the Lazarus Group has been carrying out continued surveillance or recce of the setup and its primary intent was to swap the money that was being used on the Gaming Platform. The Bridge that was used for the Payment was using the Ethereum tokens and that the hack was able to pull-out all the buffer money that was still available on the bridge, while the hack was in progress. The joint statement from the two US institutions (FBI and US Treasury Department) describes the process as follows:
- incentive to download crypto apps ”trojanized” of an authentic appearance, which the US government calls “TraderTraitor”;
- taking control of the victim’s computer;
- distribution of malicious software;
- theft of private keys.
The US have also warned countries including India that the enhanced and refreshed capabilities acquired by the Lazarus Group can also hacking email addresses and social media accounts. Thus, it is advised that the users in India, should resort to the good old practice of changing their password (with adequate strength) and also using passwords on Banking Accounts/email/etc not to skimp on the use of multifactor authentication where possible. Enterprises are also warned to enhance their security posture especially of the Critical Infrastructure Sector. The Targets that may be under surveillance of the Lazarus Group in India, can be ATM, Banking Infra, Railway networks, Financial Sectors like UPI, NPCI, Power Grid, etc.
Additional Details of the Lazarus Group from the MITRE ATT&CK Database (Source: https://attack.mitre.org/groups/G0032/)
Associated Group Descriptions
ZINC
Name | Description |
HIDDEN COBRA | The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. |
Guardians of Peace | |
NICKEL ACADEMY |
ATT&CK® Navigator Layers
Techniques Used
Domain | ID | Name | Use | |
Enterprise | T1134 | .002 | Access Token Manipulation: Create Process with Token | Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserA under that user’s context. |
Enterprise | T1098 | Account Manipulation | Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account. | |
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains | Lazarus Group has acquired infrastructure related to their campaigns to act as distribution points and C2 channels. |
.006 | Acquire Infrastructure: Web Services | Lazarus Group has hosted malicious downloads on Github. | ||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | Lazarus Group malware has conducted C2 over HTTP and HTTPS. |
Enterprise | T1010 | Application Window Discovery | Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground. | |
Enterprise | T1560 | Archive Collected Data | Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server. | |
.002 | Archive via Library | Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server. | ||
.003 | Archive via Custom Method | A Lazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration. | ||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Lazarus Group malware attempts to maintain persistence by saving itself in the Start menu folder or by adding a Registry Run key. |
.009 | Boot or Logon Autostart Execution: Shortcut Modification | A Lazarus Group malware sample adds persistence on the system by creating a shortcut in the user’s Startup folder | ||
Enterprise | T1110 | .003 | Brute Force: Password Spraying | Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords. |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | Lazarus Group malware uses cmd.exe to execute commands on victims. A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system. |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service | Several Lazarus Group malware families install themselves as new services on victims. |
Enterprise | T1485 | Data Destruction | Lazarus Group has used a custom secure delete function to overwrite file contents with data from heap memory. | |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding | A Lazarus Group malware sample encodes data with base64. |
Enterprise | T1005 | Data from Local System | Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Lazarus Group malware RomeoDelta copies specified directories from the victim’s machine, then archives and encrypts the directories before uploading to its C2 server. | |
Enterprise | T1001 | .003 | Data Obfuscation: Protocol Impersonation | Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, potentially evading SSL traffic inspection/decryption. |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging | Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server. |
Enterprise | T1491 | .001 | Defacement: Internal Defacement | Lazarus Group replaced the background wallpaper of systems with a threatening image after rendering the system unbootable with a Disk Structure Wipe |
Enterprise | T1587 | .001 | Develop Capabilities: Malware | Lazarus Group has developed several custom malware for use in operations. |
Enterprise | T1561 | .001 | Disk Wipe: Disk Content Wipe | Lazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory. |
.002 | Disk Wipe: Disk Structure Wipe | Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim’s machine and has possessed MBR wiper malware since at least 2009. | ||
Enterprise | T1189 | Drive-by Compromise | Lazarus Group delivered RATANKBA to victims via a compromised legitimate website. | |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads. |
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | Lazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims. |
Enterprise | T1041 | Exfiltration Over C2 Channel | Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Another Lazarus Group malware sample also performs exfiltration over the C2 channel. | |
Enterprise | T1203 | Exploitation for Client Execution | Lazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution. | |
Enterprise | T1008 | Fallback Channels | Lazarus Group malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again. | |
Enterprise | T1083 | File and Directory Discovery | Several Lazarus Group malware samples use a common function to identify target files by their extension. Lazarus Group malware families can also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives. | |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories | Lazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application. |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools | Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services. |
.004 | Impair Defenses: Disable or Modify System Firewall | Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. | ||
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion | Lazarus Group malware deletes files in various ways, including “suicide scripts” to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim. |
.006 | Indicator Removal on Host: Timestomp | Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files. | ||
Enterprise | T1105 | Ingress Tool Transfer | Several Lazarus Group malware families are capable of downloading and executing binaries from its C2 server. | |
Enterprise | T1056 | .001 | Input Capture: Keylogging | Lazarus Group malware KiloAlfa contains keylogging functionality. |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location | Lazarus Group has renamed the TAINTEDSCRIBE main executable to disguise itself as Microsoft’s narrator. |
Enterprise | T1571 | Non-Standard Port | Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches. | |
Enterprise | T1027 | Obfuscated Files or Information | Lazarus Group malware uses multiple types of encryption and encoding in its malware files, including AES, Caracachs, RC4, basic XOR with constant 0xA7, and other techniques. | |
Enterprise | T1588 | .004 | Obtain Capabilities: Digital Certificates | Lazarus Group has obtained SSL certificates for their C2 domains. |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment | Lazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents |
Enterprise | T1542 | .003 | Pre-OS Boot: Bootkit | Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down. |
Enterprise | T1057 | Process Discovery | Several Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by Lazarus Group also gathers process times. | |
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection | A Lazarus Group malware sample performs reflective DLL injection. |
Enterprise | T1090 | .002 | Proxy: External Proxy | Lazarus Group uses multiple proxies to obfuscate network traffic from victims. |
Enterprise | T1012 | Query Registry | Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt. | |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol | Lazarus Group malware SierraCharlie uses RDP for propagation. |
.002 | Remote Services: SMB/Windows Admin Shares | Lazarus Group malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement. | ||
Enterprise | T1489 | Service Stop | Lazarus Group has stopped the MSExchangeIS service to render Exchange contents inaccessible to users. | |
Enterprise | T1218 | .001 | Signed Binary Proxy Execution: Compiled HTML File | Lazarus Group has used CHM files to move concealed payloads. |
Enterprise | T1082 | System Information Discovery | Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server. | |
Enterprise | T1016 | System Network Configuration Discovery | Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available. | |
Enterprise | T1033 | System Owner/User Discovery | Various Lazarus Group malware enumerates logged-on users. | |
Enterprise | T1529 | System Shutdown/Reboot | Lazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems. | |
Enterprise | T1124 | System Time Discovery | A Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server. | |
Enterprise | T1204 | .002 | User Execution: Malicious File | Lazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email. |
Enterprise | T1047 | Windows Management Instrumentation | Lazarus Group malware SierraAlfa uses the Windows Management Instrumentation Command-line application wmic to start itself on a target system during lateral movement. |
Software
Note: MITRE ATT&CK® stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). The MITRE ATT&CK framework is a curated knowledge base and model for cyber adversary behaviour, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target.