Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Lazarus Group
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Lazarus Group
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Lazarus Group

Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups, such as Andariel, APT37, APT38, and Kimsuky.
ID: G0032
Associated Groups: Labyrinth Chollima, ZINC, NICKEL ACADEMY, Guardians of Peace, HIDDEN COBRA
Version: 3.1
Created: 31 May 2017
Last Modified: 23 Aug 2022

Associated Group Descriptions
Name Description
Labyrinth Chollima (Citation: CrowdStrike Labyrinth Chollima Feb 2022)
ZINC (Citation: Microsoft ZINC disruption Dec 2017)
NICKEL ACADEMY (Citation: Secureworks NICKEL ACADEMY Dec 2017)
Guardians of Peace (Citation: US-CERT HIDDEN COBRA June 2017)
HIDDEN COBRA The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)

Techniques Used
Domain ID Name Use
Enterprise T1134 .002 Access Token Manipulation: Create Process with Token

Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserA under that user's context.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Tools)
Enterprise T1087 .002 Account Discovery: Domain Account

Lazarus Group has queried an active directory server to obtain the list of accounts, including administrator accounts.(Citation: ESET Lazarus Jun 2020)
Enterprise T1583 .001 Acquire Infrastructure: Domains

Lazarus Group has acquired domains related to their campaigns to act as distribution points and C2 channels.(Citation: CISA AppleJeus Feb 2021)(Citation: ESET Lazarus Jun 2020)(Citation: Google TAG Lazarus Jan 2021)
.004 Acquire Infrastructure: Server

Lazarus Group has acquired servers to host their malicious tools.(Citation: ESET Lazarus Jun 2020)

.006 Acquire Infrastructure: Web Services

Lazarus Group has hosted malicious downloads on Github and Dropbox.(Citation: CISA AppleJeus Feb 2021)(Citation: ClearSky Lazarus Aug 2020)

Enterprise T1557 .001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Lazarus Group executed Responder using the command [Responder file path] -i [IP address] -rPv on a compromised host to harvest credentials and move laterally.(Citation: Kaspersky ThreatNeedle Feb 2021)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Lazarus Group has conducted C2 over HTTP and HTTPS.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)(Citation: ESET Twitter Ida Pro Nov 2021)
Enterprise T1560 .002 Archive Collected Data: Archive via Library

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)
.003 Archive Collected Data: Archive via Custom Method

A Lazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Lazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee Lazarus Jul 2020)(Citation: Lazarus APT January 2022)
.005 Boot or Logon Autostart Execution: Security Support Provider

Lazarus Group has rebooted victim machines to establish persistence by installing a SSP DLL.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)

.009 Boot or Logon Autostart Execution: Shortcut Modification

Lazarus Group malware has maintained persistence on a system by creating a LNK shortcut in the user’s Startup folder.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: ClearSky Lazarus Aug 2020)

Enterprise T1110 .003 Brute Force: Password Spraying

Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Lazarus Group has used PowerShell to execute commands and malicious code.(Citation: ESET Lazarus Jun 2020)(Citation: Google TAG Lazarus Jan 2021)
.001 Command and Scripting Interpreter: PowerShell

Lazarus Group has used Powershell to download malicious payloads.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)

.003 Command and Scripting Interpreter: Windows Command Shell

Lazarus Group malware uses cmd.exe to execute commands on a compromised host.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: US-CERT SHARPKNOT June 2018)(Citation: Qualys LolZarus) A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.(Citation: McAfee GhostSecret)

.005 Command and Scripting Interpreter: Visual Basic

Lazarus Group has used VBA and embedded macros in Word documents to execute malicious code.(Citation: McAfee Lazarus Jul 2020)(Citation: ClearSky Lazarus Aug 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)

.005 Command and Scripting Interpreter: Visual Basic

Lazarus Group has used VBScript to gather information about a victim machine. (Citation: F-Secure Lazarus Cryptocurrency Aug 2020)

Enterprise T1584 .001 Compromise Infrastructure: Domains

Lazarus Group has compromised legitimate domains, including those hosted in the US and Italy, for C2.(Citation: McAfee Lazarus Nov 2020)
.004 Compromise Infrastructure: Server

Lazarus Group has compromised servers to stage malicious tools.(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Several Lazarus Group malware families install themselves as new services.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)
Enterprise T1132 .001 Data Encoding: Standard Encoding

A Lazarus Group malware sample encodes data with base64.(Citation: McAfee Lazarus Resurfaces Feb 2018)
Enterprise T1001 .003 Data Obfuscation: Protocol Impersonation

Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, potentially evading SSL traffic inspection/decryption.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)
Enterprise T1074 .001 Data Staged: Local Data Staging

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)
Enterprise T1491 .001 Defacement: Internal Defacement

Lazarus Group replaced the background wallpaper of systems with a threatening image after rendering the system unbootable with a Disk Structure Wipe.(Citation: Novetta Blockbuster Destructive Malware)
Enterprise T1587 .001 Develop Capabilities: Malware

Lazarus Group has developed custom malware for use in their operations.(Citation: CISA AppleJeus Feb 2021)(Citation: ESET Lazarus Jun 2020)(Citation: Google TAG Lazarus Jan 2021)(Citation: ClearSky Lazarus Aug 2020)
Enterprise T1561 .001 Disk Wipe: Disk Content Wipe

Lazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.(Citation: Novetta Blockbuster Destructive Malware)
.002 Disk Wipe: Disk Structure Wipe

Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine and has possessed MBR wiper malware since at least 2009.(Citation: US-CERT SHARPKNOT June 2018)(Citation: Novetta Blockbuster)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads. Lazarus Group has also used AES to encrypt C2 traffic.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)(Citation: McAfee Lazarus Jul 2020)
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Lazarus Group has created new LinkedIn and Twitter accounts to conduct social engineering against potential victims.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: Google TAG Lazarus Jan 2021)
.002 Establish Accounts: Email Accounts

Lazarus Group has created new email accounts for spearphishing operations.(Citation: ESET Lazarus Jun 2020)(Citation: Kaspersky ThreatNeedle Feb 2021)

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Lazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Lazarus Group has exfiltrated stolen data to Dropbox using a customized version of dbxcli.(Citation: ESET Lazarus Jun 2020)(Citation: ClearSky Lazarus Aug 2020)
Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

Lazarus Group collected email addresses belonging to various departments of a targeted organization which were used in follow-on phishing campaigns.(Citation: Kaspersky ThreatNeedle Feb 2021)
Enterprise T1591 .004 Gather Victim Org Information: Identify Roles

Lazarus Group has targeted specific individuals within an organization with tailored job vacancy announcements.(Citation: ESET Lazarus Jun 2020)(Citation: ClearSky Lazarus Aug 2020)
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Lazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Lazarus Group has replaced `win_fw.dll`, an internal component that is executed during IDA Pro installation, with a malicious DLL to download and execute a payload.(Citation: ESET Twitter Ida Pro Nov 2021)
.013 Hijack Execution Flow: KernelCallbackTable

Lazarus Group has abused the KernelCallbackTable to hijack process control flow and execute shellcode.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)(Citation: US-CERT SHARPKNOT June 2018).

.004 Impair Defenses: Disable or Modify System Firewall

Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. (Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)

Enterprise T1070 .003 Indicator Removal: Clear Command History

Lazarus Group has routinely deleted log files on a compromised router, including automatic log deletion through the use of the logrotate utility.(Citation: Kaspersky ThreatNeedle Feb 2021)

.004 Indicator Removal: File Deletion

Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim.(Citation: Novetta Blockbuster)(Citation: McAfee GhostSecret)

.006 Indicator Removal: Timestomp

Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee GhostSecret)

Enterprise T1056 .001 Input Capture: Keylogging

Lazarus Group malware KiloAlfa contains keylogging functionality.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Tools)
Enterprise T1036 .003 Masquerading: Rename System Utilities

Lazarus Group has renamed system utilities such as wscript.exe and mshta.exe.(Citation: Qualys LolZarus)
.004 Masquerading: Masquerade Task or Service

Lazarus Group has used a scheduled task named `SRCheck` to mask the execution of a malicious .dll.(Citation: ESET Twitter Ida Pro Nov 2021)

.004 Masquerading: Masquerade Task or Service

A Lazarus Group custom backdoor implant included a custom PE loader named "Security Package" that was added into the lsass.exe process via registry key.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)

.005 Masquerading: Match Legitimate Name or Location

Lazarus Group has renamed malicious code to disguise it as Microsoft's narrator and other legitimate files.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)(Citation: ESET Lazarus Jun 2020)(Citation: Qualys LolZarus)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Lazarus Group leveraged Mimikatz to extract Windows Credentials of currently logged-in users and steals passwords stored in browsers.(Citation: Lazarus KillDisk) Lazarus Group has also used a custom version Mimikatz to capture credentials.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Lazarus Group has used Themida to pack at least two separate backdoor implants.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)
.002 Obfuscated Files or Information: Software Packing

Lazarus Group has used Themida to pack malicious DLLs and other files.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Nov 2020)

.007 Obfuscated Files or Information: Dynamic API Resolution

Lazarus Group has used a custom hashing method to resolve APIs used in shellcode.(Citation: Lazarus APT January 2022)

Enterprise T1588 .002 Obtain Capabilities: Tool

Lazarus Group has obtained a variety of tools for their operations, including Responder, PuTTy PSCP, Wake-On-Lan, ChromePass, and dbxcli.(Citation: ESET Lazarus Jun 2020)(Citation: ClearSky Lazarus Aug 2020)(Citation: Kaspersky ThreatNeedle Feb 2021)
.003 Obtain Capabilities: Code Signing Certificates

Lazarus Group has used code signing certificates issued by Sectigo RSA for some of its malware and tools.(Citation: ESET Lazarus Jun 2020)

.004 Obtain Capabilities: Digital Certificates

Lazarus Group has obtained SSL certificates for their C2 domains.(Citation: CISA AppleJeus Feb 2021)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Lazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents.(Citation: McAfee Bankshot)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: McAfee Lazarus Jul 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)
.002 Phishing: Spearphishing Link

Lazarus Group has sent malicious links to victims via email.(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)

.003 Phishing: Spearphishing via Service

Lazarus Group has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages.(Citation: Google TAG Lazarus Jan 2021)(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)

.003 Phishing: Spearphishing via Service

Lazarus Group has used fake job advertisements sent via LinkedIn to spearphish victims.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)

Enterprise T1542 .003 Pre-OS Boot: Bootkit

Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

A Lazarus Group malware sample performs reflective DLL injection.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: Lazarus APT January 2022)
Enterprise T1090 .001 Proxy: Internal Proxy

Lazarus Group has used a compromised router to serve as a proxy between a victim network's corporate and restricted segments.(Citation: Kaspersky ThreatNeedle Feb 2021)
.002 Proxy: External Proxy

Lazarus Group has used multiple proxies to obfuscate network traffic from victims.(Citation: US-CERT FALLCHILL Nov 2017)(Citation: TrendMicro macOS Dacls May 2020)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Lazarus Group malware SierraCharlie uses RDP for propagation.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)
.002 Remote Services: SMB/Windows Admin Shares

Lazarus Group malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)

.004 Remote Services: SSH

Lazarus Group used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised network.(Citation: Kaspersky ThreatNeedle Feb 2021)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Lazarus Group has used schtasks for persistence including through the periodic execution of a remote XSL script or a dropped VBS payload.(Citation: ESET Lazarus Jun 2020)(Citation: Qualys LolZarus)(Citation: ESET Twitter Ida Pro Nov 2021)
Enterprise T1593 .001 Search Open Websites/Domains: Social Media

Lazarus Group has used LinkedIn to identify and target specific employees within a chosen organization.(Citation: ESET Lazarus Jun 2020)(Citation: ClearSky Lazarus Aug 2020)
Enterprise T1608 .001 Stage Capabilities: Upload Malware

Lazarus Group has hosted malicious files on compromised as well as Lazarus Group-controlled servers.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Nov 2020)
.002 Stage Capabilities: Upload Tool

Lazarus Group has hosted custom and open-source tools on compromised as well as Lazarus Group-controlled servers.(Citation: ESET Lazarus Jun 2020)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Lazarus Group has digitally signed malware and utilities to evade detection.(Citation: ESET Lazarus Jun 2020)(Citation: Lazarus APT January 2022)
Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

Lazarus Group has used CHM files to move concealed payloads.(Citation: Kaspersky Lazarus Under The Hood APR 2017)
.005 System Binary Proxy Execution: Mshta

Lazarus Group has used mshta.exe to run malicious scripts and download programs.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)

.005 System Binary Proxy Execution: Mshta

Lazarus Group has used mshta.exe to execute HTML pages downloaded by initial access documents.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)

.010 System Binary Proxy Execution: Regsvr32

Lazarus Group has used rgsvr32 to execute custom malware.(Citation: ESET Lazarus Jun 2020)

.011 System Binary Proxy Execution: Rundll32

Lazarus Group has used rundll32 to execute malicious payloads on a compromised host.(Citation: McAfee Lazarus Jul 2020)(Citation: ESET Lazarus Jun 2020)(Citation: ESET Twitter Ida Pro Nov 2021)

Enterprise T1614 .001 System Location Discovery: System Language Discovery

Lazarus Group has deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.(Citation: ClearSky Lazarus Aug 2020)
Enterprise T1204 .001 User Execution: Malicious Link

Lazarus Group has sent spearphishing emails in an attempt to lure users to click on a malicious link.(Citation: ESET Lazarus Jun 2020)(Citation: ClearSky Lazarus Aug 2020)
.002 User Execution: Malicious File

Lazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.(Citation: McAfee Bankshot)(Citation: ClearSky Lazarus Aug 2020)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Lazarus Group has used tools to detect sandbox or VMware services through identifying the presence of a debugger or related services.(Citation: ClearSky Lazarus Aug 2020)
Enterprise T1102 .002 Web Service: Bidirectional Communication

Lazarus Group has used GitHub as C2, pulling hosted image payloads then committing command execution output to files in specific directories.(Citation: Lazarus APT January 2022)

Software
ID Name References Techniques
S0520 BLINDINGCAN (Citation: NHS UK BLINDINGCAN Aug 2020) (Citation: US-CERT BLINDINGCAN Aug 2020) System Information Discovery, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Data from Local System, Match Legitimate Name or Location, Standard Encoding, Obfuscated Files or Information, Code Signing, File Deletion, Software Packing, Exfiltration Over C2 Channel, System Network Configuration Discovery, Timestomp, Shared Modules, Malicious File, Rundll32, File and Directory Discovery, Spearphishing Attachment, Symmetric Cryptography, Deobfuscate/Decode Files or Information
S0238 Proxysvc (Citation: McAfee GhostSecret) Data from Local System, Web Protocols, Commonly Used Port, File Deletion, Automated Collection, Service Execution, File and Directory Discovery, System Information Discovery, Process Discovery, Exfiltration Over C2 Channel, Query Registry, System Network Configuration Discovery, System Time Discovery, Windows Command Shell, Data Destruction
S0678 Torisma (Citation: McAfee Lazarus Nov 2020) Obfuscated Files or Information, Native API, System Information Discovery, System Time Discovery, Exfiltration Over C2 Channel, Standard Encoding, Execution Guardrails, System Network Connections Discovery, Deobfuscate/Decode Files or Information, Software Packing, Symmetric Cryptography, Web Protocols, System Network Configuration Discovery
S0271 KEYMARBLE (Citation: US-CERT KEYMARBLE Aug 2018) System Network Configuration Discovery, Process Discovery, Windows Command Shell, File and Directory Discovery, Ingress Tool Transfer, System Information Discovery, Commonly Used Port, Screen Capture, Modify Registry, Symmetric Cryptography, File Deletion
S0665 ThreatNeedle (Citation: Kaspersky ThreatNeedle Feb 2021) Registry Run Keys / Startup Folder, Malicious File, Windows Service, Ingress Tool Transfer, System Information Discovery, File and Directory Discovery, Data from Local System, Obfuscated Files or Information, Modify Registry, Deobfuscate/Decode Files or Information, Spearphishing Attachment, Match Legitimate Name or Location
S0239 Bankshot (Citation: McAfee Bankshot) (Citation: Trojan Manuscript) Web Protocols, Data from Local System, File Deletion, File and Directory Discovery, Timestomp, Exploitation for Client Execution, Process Discovery, Deobfuscate/Decode Files or Information, System Information Discovery, Windows Service, Native API, Query Registry, Non-Standard Encoding, Automated Collection, Protocol Impersonation, Ingress Tool Transfer, Local Account, Domain Account, Modify Registry, Create Process with Token, Uncommonly Used Port, Windows Command Shell, Exfiltration Over C2 Channel, Indicator Removal, Non-Standard Port
S0347 AuditCred (Citation: Roptimizer) (Citation: TrendMicro Lazarus Nov 2018) File and Directory Discovery, Proxy, File Deletion, Process Injection, Ingress Tool Transfer, Windows Command Shell, Commonly Used Port, Deobfuscate/Decode Files or Information, Windows Service, Obfuscated Files or Information
S0497 Dacls (Citation: SentinelOne Lazarus macOS July 2020) (Citation: TrendMicro macOS Dacls May 2020) Ingress Tool Transfer, Web Protocols, Process Discovery, Launch Agent, Obfuscated Files or Information, Launch Daemon, Hidden Files and Directories, File and Directory Discovery, Masquerading
S0364 RawDisk (Citation: EldoS RawDisk ITpro) (Citation: Novetta Blockbuster Destructive Malware) (Citation: Novetta Blockbuster) Disk Structure Wipe, Disk Content Wipe, Data Destruction
S0376 HOPLIGHT (Citation: US-CERT HOPLIGHT Apr 2019) Modify Registry, Fallback Channels, Query Registry, Proxy, Non-Standard Port, Commonly Used Port, Pass the Hash, File and Directory Discovery, Security Account Manager, Windows Command Shell, Exfiltration Over C2 Channel, Standard Encoding, System Information Discovery, Service Execution, Ingress Tool Transfer, Windows Management Instrumentation, Uncommonly Used Port, Disable or Modify System Firewall, System Time Discovery, Process Injection
S0180 Volgmer (Citation: Symantec Volgmer Aug 2014) (Citation: US-CERT Volgmer 2 Nov 2017) (Citation: US-CERT Volgmer Nov 2017) File and Directory Discovery, Uncommonly Used Port, Windows Service, Commonly Used Port, Query Registry, System Information Discovery, Custom Command and Control Protocol, Native API, Symmetric Cryptography, System Service Discovery, Ingress Tool Transfer, Process Discovery, System Network Configuration Discovery, Windows Command Shell, Asymmetric Cryptography, Modify Registry, Masquerade Task or Service, Obfuscated Files or Information, System Network Connections Discovery, File Deletion, Deobfuscate/Decode Files or Information
S0108 netsh (Citation: Novetta Blockbuster Loaders) (Citation: TechNet Netsh) Disable or Modify System Firewall, Netsh Helper DLL, Proxy, Security Software Discovery
S0366 WannaCry (Citation: FireEye APT38 Oct 2018) (Citation: FireEye WannaCry 2017) (Citation: LogRhythm WannaCry) (Citation: SecureWorks WannaCry Analysis) (Citation: US-CERT WannaCry 2017) (Citation: WanaCry) (Citation: WanaCrypt) (Citation: WanaCrypt0r) (Citation: Washington Post WannaCry 2017) (Citation: WCry) Exploitation of Remote Services, Service Stop, File and Directory Discovery, Peripheral Device Discovery, Data Encrypted for Impact, Windows Management Instrumentation, RDP Hijacking, Inhibit System Recovery, Remote System Discovery, Hidden Files and Directories, System Network Configuration Discovery, Windows File and Directory Permissions Modification, Multi-hop Proxy, Asymmetric Cryptography, Windows Service, Lateral Tool Transfer
S0263 TYPEFRAME (Citation: US-CERT TYPEFRAME June 2018) Ingress Tool Transfer, Disable or Modify System Firewall, Uncommonly Used Port, Obfuscated Files or Information, Malicious File, Deobfuscate/Decode Files or Information, Proxy, Commonly Used Port, Visual Basic, Windows Service, Custom Command and Control Protocol, Modify Registry, System Information Discovery, Non-Standard Port, Windows Command Shell, File Deletion, File and Directory Discovery
S0586 TAINTEDSCRIBE (Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020) Remote System Discovery, Binary Padding, Timestomp, File and Directory Discovery, Archive Collected Data, Process Discovery, Match Legitimate Name or Location, Registry Run Keys / Startup Folder, Windows Command Shell, Symmetric Cryptography, Protocol Impersonation, Ingress Tool Transfer, System Time Discovery, Fallback Channels, File Deletion, System Information Discovery
S0241 RATANKBA (Citation: Lazarus RATANKBA) (Citation: RATANKBA) System Owner/User Discovery, System Network Connections Discovery, Windows Command Shell, System Service Discovery, Web Protocols, Dynamic-link Library Injection, Windows Management Instrumentation, Local Account, Process Discovery, System Network Configuration Discovery, Remote System Discovery, Query Registry, Commonly Used Port, Ingress Tool Transfer, PowerShell, System Information Discovery
S0245 BADCALL (Citation: US-CERT BADCALL) Disable or Modify System Firewall, Symmetric Cryptography, Protocol Impersonation, Proxy, Modify Registry, System Information Discovery, Commonly Used Port, Non-Standard Port, System Network Configuration Discovery
S0498 Cryptoistic (Citation: SentinelOne Lazarus macOS July 2020) Data from Local System, Encrypted Channel, File Deletion, File and Directory Discovery, Ingress Tool Transfer, Non-Application Layer Protocol, System Owner/User Discovery
S0174 Responder (Citation: ClearSky Lazarus Aug 2020) (Citation: GitHub Responder) Network Sniffing, LLMNR/NBT-NS Poisoning and SMB Relay
S0431 HotCroissant (Citation: Carbon Black HotCroissant April 2020) (Citation: US-CERT HOTCROISSANT February 2020) Exfiltration Over C2 Channel, Symmetric Cryptography, File Deletion, Native API, Software Packing, File and Directory Discovery, Service Stop, Ingress Tool Transfer, Windows Command Shell, Process Discovery, System Service Discovery, System Owner/User Discovery, Obfuscated Files or Information, Application Window Discovery, Software Discovery, System Information Discovery, Screen Capture, System Network Configuration Discovery, Scheduled Task, Hidden Window
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Lazarus KillDisk) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0246 HARDRAIN (Citation: US-CERT HARDRAIN March 2018) Non-Standard Port, Proxy, Windows Command Shell, Protocol Impersonation, Commonly Used Port, Disable or Modify System Firewall
S0103 route (Citation: Kaspersky ThreatNeedle Feb 2021) (Citation: TechNet Route) System Network Configuration Discovery
S0584 AppleJeus (Citation: CISA AppleJeus Feb 2021) Deobfuscate/Decode Files or Information, File Deletion, Installer Packages, Exfiltration Over C2 Channel, Spearphishing Link, Windows Service, Hidden Files and Directories, Launchctl, Web Protocols, Code Signing, Unix Shell, System Information Discovery, Msiexec, Scheduled Task, Bypass User Account Control, Malicious File, Obfuscated Files or Information, Time Based Evasion, Launch Daemon, Malicious Link
S0593 ECCENTRICBANDWAGON (Citation: CISA EB Aug 2020) File Deletion, Obfuscated Files or Information, Windows Command Shell, Screen Capture, Keylogging, Local Data Staging
S0567 Dtrack (Citation: CyberBit Dtrack) (Citation: Dragos WASSONITE) (Citation: Kaspersky Dtrack) (Citation: Securelist Dtrack) (Citation: ZDNet Dtrack) Data from Local System, Local Data Staging, System Information Discovery, Hijack Execution Flow, Keylogging, Boot or Logon Autostart Execution, Windows Service, Windows Command Shell, Valid Accounts, File Deletion, Browser Bookmark Discovery, Match Legitimate Name or Location, System Network Connections Discovery, Embedded Payloads, Query Registry, Process Hollowing, File and Directory Discovery, System Network Configuration Discovery, Obfuscated Files or Information, Process Discovery, Archive Collected Data, Shared Modules, Ingress Tool Transfer, Deobfuscate/Decode Files or Information
S0181 FALLCHILL (Citation: US-CERT FALLCHILL Nov 2017) File and Directory Discovery, Timestomp, Symmetric Cryptography, File Deletion, System Information Discovery, System Network Configuration Discovery, Windows Service, Protocol Impersonation

References

  1. Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.
  2. GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.
  3. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  4. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  5. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  6. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  7. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  8. Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022.
  9. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  10. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
  11. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  12. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  13. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  14. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  15. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  16. Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021.
  17. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  18. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  19. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  20. Kaspersky Global Research and Analysis Team. (2019, September 23). DTrack: previously unknown spy-tool by Lazarus hits financial institutions and research centers. Retrieved January 20, 2021.
  21. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  22. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  23. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  24. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  25. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  26. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  27. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  28. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  29. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  30. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
  31. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
  32. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  33. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  34. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  35. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  36. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
  37. US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.
  38. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
  39. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
  40. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  41. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  42. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  43. CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.
  44. Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.
  45. Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.
  46. US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.
  47. US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.