lazarusholic

2023-09-05, KRCERT
https://www.dailysecu.com/form/html/pascon/image/2023/pascon_2023_KEYNOTE-6.pdf
pascon_2023_KEYNOTE-6.pdf, 1.8 MB
#Slides

Lazarus Group’s Operations
: Large-Scale Infection Campaigns 2023
Korea Internet & Security Agency
김동욱 선임 연구원


Agenda

-

Introduction

-

Key Findings

-

Analysis (Incidents Case, Malware)

- Attribution & Conclusions


Profiling

고위험 공격 그룹

OPERATION
특정 공격조직에 대해 오퍼레이션 단위로
추적, 분석, 대응


Summary
Page access news

Compromised
Press page

Watering Hole

Check Target &
Exploit financial security program

Press

C2
Download Malware

Command Control
&
Data Exfiltration

Internal Network

Internet Network
Malware Infection
Network Scanning

Compromised host
(Proxy farm)
Command Control
&
Data Exfiltration

Lateral Movement
Using financial Security Program Exploit

Establish Foothold

Malware Infection
Network Scanning


Key Findings 1. Domino effect

Company
START

Source code

Exfiltrate

0110101101011
1011010001101
1000101101100
0110110010101

Resource
Deveopment

Exploit code

Exploit

0110101101011
1011010001101
1000101101100
0110110010101


Key Findings 2. Inevitable daily life
Target
ME

CLICK!
Compromised Press


Key Findings 3. Internet Banking in Korea
Bank Alpha

User A

User B

Bank Beta
S/W Development
User C

User D

User E


Key Findings 3. Internet Banking in Korea
Bank Alpha

User A

User B

Bank Beta
S/W Development
User C

User D

User E


Key Findings 3. Internet Banking in Korea
Bank Alpha

User A

User B

Bank Beta
S/W Development
User C

User D

User E


Incidents


Operation Start

Lazarus

WEB
C&C

Spear Phishing
Attachment?
Link?

Malcode

공통점

Financial Security SW


Investigation
민간분야

방산업체

금융 SW 개발사
의료 기술

명령제어서버 분석

그룹웨어 개발사
언론사

반복

피해기업 분석

악성코드 분석

보안제품 개발사


Investigation
Internet

Firewall

C&C

Network Separation

C&C

Internal
Network

C&C

Finding
Compromised
Systems
Malware
Analysis

Things to Find Out
1. Initial Access Techniques
2. Malware Propagation Techniques
3. Methods of Intrusion into Internal Network

C&C

…