Lazarus Group
Associated Group Descriptions |
|
Name | Description |
---|---|
Labyrinth Chollima | (Citation: CrowdStrike Labyrinth Chollima Feb 2022) |
Diamond Sleet | (Citation: Microsoft Threat Actor Naming July 2023) |
ZINC | (Citation: Microsoft ZINC disruption Dec 2017) |
NICKEL ACADEMY | (Citation: Secureworks NICKEL ACADEMY Dec 2017) |
Guardians of Peace | (Citation: US-CERT HIDDEN COBRA June 2017) |
HIDDEN COBRA | The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | .002 | Access Token Manipulation: Create Process with Token |
Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call |
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
Lazarus Group has queried an active directory server to obtain the list of accounts, including administrator accounts.(Citation: ESET Lazarus Jun 2020) |
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Lazarus Group has acquired domains related to their campaigns to act as distribution points and C2 channels.(Citation: CISA AppleJeus Feb 2021)(Citation: Google TAG Lazarus Jan 2021) |
.004 | Acquire Infrastructure: Server |
Lazarus Group has acquired servers to host their malicious tools.(Citation: ESET Lazarus Jun 2020) |
||
.006 | Acquire Infrastructure: Web Services |
Lazarus Group has hosted malicious downloads on Github.(Citation: CISA AppleJeus Feb 2021) |
||
Enterprise | T1557 | .001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
Lazarus Group executed Responder using the command |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Lazarus Group has conducted C2 over HTTP and HTTPS.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)(Citation: ESET Twitter Ida Pro Nov 2021) |
Enterprise | T1560 | .002 | Archive Collected Data: Archive via Library |
Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018) |
.003 | Archive Collected Data: Archive via Custom Method |
A Lazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018) |
||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Lazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: Lazarus APT January 2022) |
.005 | Boot or Logon Autostart Execution: Security Support Provider |
Lazarus Group has rebooted victim machines to establish persistence by installing a SSP DLL.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) |
||
.009 | Boot or Logon Autostart Execution: Shortcut Modification |
Lazarus Group malware has maintained persistence on a system by creating a LNK shortcut in the user’s Startup folder.(Citation: McAfee Lazarus Resurfaces Feb 2018) |
||
Enterprise | T1110 | .003 | Brute Force: Password Spraying |
Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Lazarus Group has used PowerShell to execute commands and malicious code.(Citation: Google TAG Lazarus Jan 2021) |
.001 | Command and Scripting Interpreter: PowerShell |
Lazarus Group has used Powershell to download malicious payloads.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) |
||
.003 | Command and Scripting Interpreter: Windows Command Shell |
Lazarus Group malware uses cmd.exe to execute commands on a compromised host.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: US-CERT SHARPKNOT June 2018)(Citation: Qualys LolZarus) A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.(Citation: McAfee GhostSecret) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
Lazarus Group has used VBA and embedded macros in Word documents to execute malicious code.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
Lazarus Group has used VBScript to gather information about a victim machine. (Citation: F-Secure Lazarus Cryptocurrency Aug 2020) |
||
Enterprise | T1584 | .001 | Compromise Infrastructure: Domains |
Lazarus Group has compromised legitimate domains, including those hosted in the US and Italy, for C2.(Citation: McAfee Lazarus Nov 2020) |
.004 | Compromise Infrastructure: Server |
Lazarus Group has compromised servers to stage malicious tools.(Citation: Kaspersky ThreatNeedle Feb 2021) |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Several Lazarus Group malware families install themselves as new services.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
A Lazarus Group malware sample encodes data with base64.(Citation: McAfee Lazarus Resurfaces Feb 2018) |
Enterprise | T1001 | .003 | Data Obfuscation: Protocol or Service Impersonation |
Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, potentially evading SSL traffic inspection/decryption.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee-GhostSecret-fixurl) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders) |
Enterprise | T1491 | .001 | Defacement: Internal Defacement |
Lazarus Group replaced the background wallpaper of systems with a threatening image after rendering the system unbootable with a Disk Structure Wipe.(Citation: Novetta Blockbuster Destructive Malware) |
Enterprise | T1587 | .001 | Develop Capabilities: Malware |
Lazarus Group has developed custom malware for use in their operations.(Citation: CISA AppleJeus Feb 2021)(Citation: Google TAG Lazarus Jan 2021) |
Enterprise | T1561 | .001 | Disk Wipe: Disk Content Wipe |
Lazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.(Citation: Novetta Blockbuster Destructive Malware) |
.002 | Disk Wipe: Disk Structure Wipe |
Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine and has possessed MBR wiper malware since at least 2009.(Citation: US-CERT SHARPKNOT June 2018)(Citation: Novetta Blockbuster) |
||
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads. Lazarus Group has also used AES to encrypt C2 traffic.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret) |
Enterprise | T1585 | .001 | Establish Accounts: Social Media Accounts |
Lazarus Group has created new Twitter accounts to conduct social engineering against potential victims.(Citation: Google TAG Lazarus Jan 2021) |
.002 | Establish Accounts: Email Accounts |
Lazarus Group has created new email accounts for spearphishing operations.(Citation: Kaspersky ThreatNeedle Feb 2021) |
||
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
Lazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs) |
Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Lazarus Group has exfiltrated stolen data to Dropbox using a customized version of dbxcli.(Citation: ESET Lazarus Jun 2020)(Citation: ClearSky Lazarus Aug 2020) |
Enterprise | T1589 | .002 | Gather Victim Identity Information: Email Addresses |
Lazarus Group collected email addresses belonging to various departments of a targeted organization which were used in follow-on phishing campaigns.(Citation: Kaspersky ThreatNeedle Feb 2021) |
Enterprise | T1591 | .004 | Gather Victim Org Information: Identify Roles |
Lazarus Group has targeted specific individuals within an organization with tailored job vacancy announcements.(Citation: ESET Lazarus Jun 2020)(Citation: ClearSky Lazarus Aug 2020) |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Lazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022) |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Lazarus Group has replaced `win_fw.dll`, an internal component that is executed during IDA Pro installation, with a malicious DLL to download and execute a payload.(Citation: ESET Twitter Ida Pro Nov 2021) |
.013 | Hijack Execution Flow: KernelCallbackTable |
Lazarus Group has abused the |
||
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)(Citation: US-CERT SHARPKNOT June 2018). |
.004 | Impair Defenses: Disable or Modify System Firewall |
Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. (Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools) |
||
Enterprise | T1070 | .003 | Indicator Removal: Clear Command History |
Lazarus Group has routinely deleted log files on a compromised router, including automatic log deletion through the use of the logrotate utility.(Citation: Kaspersky ThreatNeedle Feb 2021) |
.004 | Indicator Removal: File Deletion |
Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim.(Citation: Novetta Blockbuster)(Citation: McAfee GhostSecret) |
||
.006 | Indicator Removal: Timestomp |
Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee GhostSecret) |
||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
Lazarus Group malware KiloAlfa contains keylogging functionality.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Tools) |
Enterprise | T1036 | .003 | Masquerading: Rename System Utilities |
Lazarus Group has renamed system utilities such as |
.004 | Masquerading: Masquerade Task or Service |
Lazarus Group has used a scheduled task named `SRCheck` to mask the execution of a malicious .dll.(Citation: ESET Twitter Ida Pro Nov 2021) |
||
.004 | Masquerading: Masquerade Task or Service |
A Lazarus Group custom backdoor implant included a custom PE loader named "Security Package" that was added into the lsass.exe process via registry key.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) |
||
.005 | Masquerading: Match Legitimate Name or Location |
Lazarus Group has renamed malicious code to disguise it as Microsoft's narrator and other legitimate files.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)(Citation: Qualys LolZarus) |
||
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Lazarus Group leveraged Mimikatz to extract Windows Credentials of currently logged-in users and steals passwords stored in browsers.(Citation: Lazarus KillDisk) Lazarus Group has also used a custom version Mimikatz to capture credentials.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Lazarus Group has used Themida to pack at least two separate backdoor implants.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) |
.002 | Obfuscated Files or Information: Software Packing |
Lazarus Group has used Themida to pack malicious DLLs and other files.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Nov 2020) |
||
.007 | Obfuscated Files or Information: Dynamic API Resolution |
Lazarus Group has used a custom hashing method to resolve APIs used in shellcode.(Citation: Lazarus APT January 2022) |
||
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
Lazarus Group has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for Native API function names.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus) |
||
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Lazarus Group has obtained a variety of tools for their operations, including Responder and PuTTy PSCP.(Citation: Kaspersky ThreatNeedle Feb 2021) |
.003 | Obtain Capabilities: Code Signing Certificates |
Lazarus Group has used code signing certificates issued by Sectigo RSA for some of its malware and tools.(Citation: ESET Lazarus Jun 2020) |
||
.004 | Obtain Capabilities: Digital Certificates |
Lazarus Group has obtained SSL certificates for their C2 domains.(Citation: CISA AppleJeus Feb 2021) |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Lazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents.(Citation: McAfee Bankshot)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus) |
.002 | Phishing: Spearphishing Link |
Lazarus Group has sent malicious links to victims via email.(Citation: Kaspersky ThreatNeedle Feb 2021) |
||
.003 | Phishing: Spearphishing via Service |
Lazarus Group has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages.(Citation: Google TAG Lazarus Jan 2021) |
||
.003 | Phishing: Spearphishing via Service |
Lazarus Group has used fake job advertisements sent via LinkedIn to spearphish victims.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) |
||
Enterprise | T1542 | .003 | Pre-OS Boot: Bootkit |
Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) |
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
A Lazarus Group malware sample performs reflective DLL injection.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: Lazarus APT January 2022) |
Enterprise | T1090 | .001 | Proxy: Internal Proxy |
Lazarus Group has used a compromised router to serve as a proxy between a victim network's corporate and restricted segments.(Citation: Kaspersky ThreatNeedle Feb 2021) |
.002 | Proxy: External Proxy |
Lazarus Group has used multiple proxies to obfuscate network traffic from victims.(Citation: US-CERT FALLCHILL Nov 2017)(Citation: TrendMicro macOS Dacls May 2020) |
||
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Lazarus Group malware SierraCharlie uses RDP for propagation.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs) |
.002 | Remote Services: SMB/Windows Admin Shares |
Lazarus Group malware SierraAlfa accesses the |
||
.004 | Remote Services: SSH |
Lazarus Group used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised network.(Citation: Kaspersky ThreatNeedle Feb 2021) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Lazarus Group has used |
Enterprise | T1593 | .001 | Search Open Websites/Domains: Social Media |
Lazarus Group has used LinkedIn to identify and target specific employees within a chosen organization.(Citation: ESET Lazarus Jun 2020)(Citation: ClearSky Lazarus Aug 2020) |
Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
Lazarus Group has hosted malicious files on compromised as well as Lazarus Group-controlled servers.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Nov 2020) |
.002 | Stage Capabilities: Upload Tool |
Lazarus Group has hosted custom and open-source tools on compromised as well as Lazarus Group-controlled servers.(Citation: ESET Lazarus Jun 2020) |
||
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Lazarus Group has digitally signed malware and utilities to evade detection.(Citation: Lazarus APT January 2022) |
Enterprise | T1218 | .001 | System Binary Proxy Execution: Compiled HTML File |
Lazarus Group has used CHM files to move concealed payloads.(Citation: Kaspersky Lazarus Under The Hood APR 2017) |
.005 | System Binary Proxy Execution: Mshta |
Lazarus Group has used mshta.exe to run malicious scripts and download programs.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) |
||
.005 | System Binary Proxy Execution: Mshta |
Lazarus Group has used |
||
.010 | System Binary Proxy Execution: Regsvr32 |
Lazarus Group has used rgsvr32 to execute custom malware.(Citation: ESET Lazarus Jun 2020) |
||
.011 | System Binary Proxy Execution: Rundll32 |
Lazarus Group has used rundll32 to execute malicious payloads on a compromised host.(Citation: ESET Twitter Ida Pro Nov 2021) |
||
Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
Lazarus Group has deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.(Citation: ClearSky Lazarus Aug 2020) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Lazarus Group has sent spearphishing emails in an attempt to lure users to click on a malicious link.(Citation: ESET Lazarus Jun 2020)(Citation: ClearSky Lazarus Aug 2020) |
.002 | User Execution: Malicious File |
Lazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.(Citation: McAfee Bankshot)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus) |
||
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Lazarus Group has used tools to detect sandbox or VMware services through identifying the presence of a debugger or related services.(Citation: ClearSky Lazarus Aug 2020) |
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
Lazarus Group has used GitHub as C2, pulling hosted image payloads then committing command execution output to files in specific directories.(Citation: Lazarus APT January 2022) |
References
- Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.
- GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.
- F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
- Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
- Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
- ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
- Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
- Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
- US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
- Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
- Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
- Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
- Ryan Sherstobitoff. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved August 15, 2024.
- Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved September 12, 2024.
- Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
- Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
- Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
- Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
- US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
- US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
- Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
- Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
- Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
- US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
- US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
- Kaspersky Global Research and Analysis Team. (2019, September 23). DTrack: previously unknown spy-tool by Lazarus hits financial institutions and research centers. Retrieved January 20, 2021.
- US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.
- US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
- US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
- USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
- Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
- Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
- US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
- US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
- Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
- CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.
- Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.
- US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.
- US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.