Lazarus Group: a mahjong game played with different sets of tiles
Contents
ESET, Czech Republic
Copyright © 2018 Virus Bulletin
Abstract
Introduction
Reported cases
Operation Troy and DarkSeoul
Operation Blockbuster – the saga, the sequel and going mobile
SWIFT attack in Bangladesh
Polish and Mexican banks
WannaCryptor outbreak
Bitcoin-oriented attacks
The Turkish Bankshot
Toolset characteristics
Dynamic resolution of Windows APIs
TCP backdoors
Fake TLS protocol
Self-deleting batch files
PE Rich Header metadata
Caught samples
WannaCryptor from 2016
Multi-platform Java downloaders
Custom malware packer
South Korean TV series
Online casino KillDisk-ed
Strange CoinMiner
Conclusion
References
Footnotes
Appendix A
Appendix B
Appendix C
Appendix D
The number of incidents attributed to the Lazarus Group, a.k.a. Hidden Cobra, has grown rapidly since its estimated establishment in 2009. This notorious group intensified its efforts in 2017 (e.g. the attacks on Polish and Mexican banks, the WannaCryptor outbreak, the spear-phishing campaign against US contractors), and kept up the pace at the turn of the year (the Android-ported payloads, the bitcoin-oriented attacks, the Turkish campaign, and more). Attribution of these newer cases was determined by observing similarities with previously resolved cases: specific chunks of code, unique data, and network infrastructure. …
Copyright © 2018 Virus Bulletin
Abstract
Introduction
Reported cases
Operation Troy and DarkSeoul
Operation Blockbuster – the saga, the sequel and going mobile
SWIFT attack in Bangladesh
Polish and Mexican banks
WannaCryptor outbreak
Bitcoin-oriented attacks
The Turkish Bankshot
Toolset characteristics
Dynamic resolution of Windows APIs
TCP backdoors
Fake TLS protocol
Self-deleting batch files
PE Rich Header metadata
Caught samples
WannaCryptor from 2016
Multi-platform Java downloaders
Custom malware packer
South Korean TV series
Online casino KillDisk-ed
Strange CoinMiner
Conclusion
References
Footnotes
Appendix A
Appendix B
Appendix C
Appendix D
The number of incidents attributed to the Lazarus Group, a.k.a. Hidden Cobra, has grown rapidly since its estimated establishment in 2009. This notorious group intensified its efforts in 2017 (e.g. the attacks on Polish and Mexican banks, the WannaCryptor outbreak, the spear-phishing campaign against US contractors), and kept up the pace at the turn of the year (the Android-ported payloads, the bitcoin-oriented attacks, the Turkish campaign, and more). Attribution of these newer cases was determined by observing similarities with previously resolved cases: specific chunks of code, unique data, and network infrastructure. …