Lazarus campaign TTPs and evolution
Contents
Executive summary
AT&T Alien Labs™ has observed new activity that has been attributed to the Lazarus adversary group potentially targeting engineering job candidates and/or employees in classified engineering roles within the U.S. and Europe. This assessment is based on malicious documents believed to have been delivered by Lazarus during the last few months (spring 2021). However, historical analysis shows the lures used in this campaign to be in line with others used to target these groups.
The purpose of this blog is to share the new technical intelligence and provide detection options for defenders. Alien Labs will continue to report on any noteworthy changes.
Key Takeaways:
- Lazarus has been identified targeting defense contractors with malicious documents.
- There is a high emphasis on renaming system utilities (Certutil and Explorer) to obfuscate the adversary’s activities (T1036.003).
Background
Since 2009, the known tools and capabilities believed to have been used by the Lazarus Group include DDoS botnets, keyloggers, …
AT&T Alien Labs™ has observed new activity that has been attributed to the Lazarus adversary group potentially targeting engineering job candidates and/or employees in classified engineering roles within the U.S. and Europe. This assessment is based on malicious documents believed to have been delivered by Lazarus during the last few months (spring 2021). However, historical analysis shows the lures used in this campaign to be in line with others used to target these groups.
The purpose of this blog is to share the new technical intelligence and provide detection options for defenders. Alien Labs will continue to report on any noteworthy changes.
Key Takeaways:
- Lazarus has been identified targeting defense contractors with malicious documents.
- There is a high emphasis on renaming system utilities (Certutil and Explorer) to obfuscate the adversary’s activities (T1036.003).
Background
Since 2009, the known tools and capabilities believed to have been used by the Lazarus Group include DDoS botnets, keyloggers, …
IoC
1690ce43530acf725f33aa30f715855d226d63276557d0e33fbcaf9b5ff9b84c
294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c
3b33b0739107411b978c3cbafb312a44b7488bd7adabae3e7b02059240b6dc83
5c206b4dc2d3a25205176da9a1129c9f814c030a7bac245e3aaf7dd5d3ca4fbe
65f7211c3d7fde25154b4226a7bef0712579e0093020510f6a4bb4912a674695
8e1746829851d28c555c143ce62283bc011bbd2acfa60909566339118c9c5c97
9362425ae690b5bf74782eafe959195f25ac8bad370794efd4a08048141efb32
97515b70184f4553e5ae6b51d06a148b30d0a6632c077b98ad320e3c27cfd96f
e6dff9a5f74fff3a95e2dcb48b81b05af5cf5be73823d56c10eee80c8f17c845
ebd6663d1df8228684a0b2146b68ce10169fc41c5e91c443fdf6f844f5ffeb62
f53d4b3eb76851e88c6f30f1ecc67796bbd6678b8e2e9bc0a8f2582c42a467c6
f5563f0e63d9deed90b683a15ebd2a1fda6b72987742afb40a1202ddb9e867d0
ffec6e6d4e314f64f5d31c62024252abde7f77acdd63991cb16923ff17828885
http://allgraphicart.com
http://allgraphicart.com/general_motors_car.doc
http://allgraphicart.com/general_motors_car.docx
http://allgraphicart.com/general_motors_car.rtf
http://allgraphicart.com/logo.png
http://shopweblive.com
http://shopweblive.com/airbus_job_vacancie.doc
http://shopweblive.com/airbus_job_vacancies.doc
http://shopweblive.com/airbus_job_vacancy.doc
http://shopweblive.com/image_slider.png
http://wicall.ir/logo.png
rule LazarusCampaign_MacroDoc_Jun2021 : WindowsMalware { meta: author = "AlienLabs" description = "Detects Lazarus campaign macro document Jun2021." reference = "https://otx.alienvault.com/pulse/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c" SHA256 = "294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c" strings: $a1 = "ZSBydW4gaW4gRE9TIG1vZGUuDQ0KJA" ascii //run in DOS mode. - base64 encoded $a2 = "c:\\Drivers" $a3 = "AAAAAAAAAA=" ascii // base64 content $a4 = "CreateObject(\"Scripting.FileSystemObject\").CreateTextFile" $a5 = "cmd /c copy" $a6 = {73 79 73 74 65 6d 33 32 5c 2a 65 72 74 75 74 2a 2e 65 78 65} // system32\*ertut*.exe $a7 = {25 73 79 73 74 65 6d 72 6f 6f 74 25 5c 65 78 70 2a 2e 65 78 65} // %systemroot%\exp*.exe $a8 = "sleep 1000" $a9 = "cmd /c explorer.exe /root" $a10 = "-decode " $b = "tAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v" ascii //This program cannot - base64 encoded condition: uint16(0) == 0xCFD0 and filesize < 2000KB and $b and 5 of ($a*) }
rule LazarusCampaign_Payload_Jun2021 : WindowsMalware { meta: author = "AlienLabs" description = "Detects Lazarus campaign downloader Jun2021." reference = "https://otx.alienvault.com/pulse/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c" SHA256 = "f5563f0e63d9deed90b683a15ebd2a1fda6b72987742afb40a1202ddb9e867d0" strings: $a1 = "Office ClickToRun" wide ascii $a2 = "C:\\Drivers\\" condition: uint16(0) == 0x5A4D and all of them }
294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c
3b33b0739107411b978c3cbafb312a44b7488bd7adabae3e7b02059240b6dc83
5c206b4dc2d3a25205176da9a1129c9f814c030a7bac245e3aaf7dd5d3ca4fbe
65f7211c3d7fde25154b4226a7bef0712579e0093020510f6a4bb4912a674695
8e1746829851d28c555c143ce62283bc011bbd2acfa60909566339118c9c5c97
9362425ae690b5bf74782eafe959195f25ac8bad370794efd4a08048141efb32
97515b70184f4553e5ae6b51d06a148b30d0a6632c077b98ad320e3c27cfd96f
e6dff9a5f74fff3a95e2dcb48b81b05af5cf5be73823d56c10eee80c8f17c845
ebd6663d1df8228684a0b2146b68ce10169fc41c5e91c443fdf6f844f5ffeb62
f53d4b3eb76851e88c6f30f1ecc67796bbd6678b8e2e9bc0a8f2582c42a467c6
f5563f0e63d9deed90b683a15ebd2a1fda6b72987742afb40a1202ddb9e867d0
ffec6e6d4e314f64f5d31c62024252abde7f77acdd63991cb16923ff17828885
http://allgraphicart.com
http://allgraphicart.com/general_motors_car.doc
http://allgraphicart.com/general_motors_car.docx
http://allgraphicart.com/general_motors_car.rtf
http://allgraphicart.com/logo.png
http://shopweblive.com
http://shopweblive.com/airbus_job_vacancie.doc
http://shopweblive.com/airbus_job_vacancies.doc
http://shopweblive.com/airbus_job_vacancy.doc
http://shopweblive.com/image_slider.png
http://wicall.ir/logo.png
rule LazarusCampaign_MacroDoc_Jun2021 : WindowsMalware { meta: author = "AlienLabs" description = "Detects Lazarus campaign macro document Jun2021." reference = "https://otx.alienvault.com/pulse/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c" SHA256 = "294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c" strings: $a1 = "ZSBydW4gaW4gRE9TIG1vZGUuDQ0KJA" ascii //run in DOS mode. - base64 encoded $a2 = "c:\\Drivers" $a3 = "AAAAAAAAAA=" ascii // base64 content $a4 = "CreateObject(\"Scripting.FileSystemObject\").CreateTextFile" $a5 = "cmd /c copy" $a6 = {73 79 73 74 65 6d 33 32 5c 2a 65 72 74 75 74 2a 2e 65 78 65} // system32\*ertut*.exe $a7 = {25 73 79 73 74 65 6d 72 6f 6f 74 25 5c 65 78 70 2a 2e 65 78 65} // %systemroot%\exp*.exe $a8 = "sleep 1000" $a9 = "cmd /c explorer.exe /root" $a10 = "-decode " $b = "tAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v" ascii //This program cannot - base64 encoded condition: uint16(0) == 0xCFD0 and filesize < 2000KB and $b and 5 of ($a*) }
rule LazarusCampaign_Payload_Jun2021 : WindowsMalware { meta: author = "AlienLabs" description = "Detects Lazarus campaign downloader Jun2021." reference = "https://otx.alienvault.com/pulse/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c" SHA256 = "f5563f0e63d9deed90b683a15ebd2a1fda6b72987742afb40a1202ddb9e867d0" strings: $a1 = "Office ClickToRun" wide ascii $a2 = "C:\\Drivers\\" condition: uint16(0) == 0x5A4D and all of them }