Lazarus Group’s Large-scale Threats via Watering Hole and Financial Software
Contents
Lazarus Group’s Large-scale Threats
via Watering Hole and Financial Software
Long-standing work norms derived from historical practices
2024. 1. 25. THU
Dongwook Kim, Seulgi Lee
KrCERT/CC
Introduction
Dongwook Kim ([email protected])
Incident Analyst
KrCERT/CC
Seulgi Lee ([email protected])
Malware Analyst
KrCERT/CC
Short Review: Keywords Against RoK in 2023
Hacktivist
Supply Chain Attack
Financial Security Software
Short Review: Incident in a Financial Security S/W
Short Review: Incident in a Financial Security S/W
Targeted Attack
Startup program
(24/7)
Financial Security S/W
- Response Time
- Watering Hole
- IP Filtering
User (TARGET)
- Compatibility
Exploit Server
User
Internet Bank
User
ATTRIBUTION. Summary
•
Initial Access
•
Zero-day exploit code
•
Fully Targeted Attack
•
Command and Control: Web-based Command and Control Systems
•
Execution: Execute malwares via service (in netsvcs)
•
Persistence
•
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages → C:\Windows\System32\
ATTRIBUTION. Initial Access – Exploit
Access Community
Website
Fake License Server
Target IP Filtering
&
Redirect
Victim
Exploit Server
Install Fake License
Malware Download &
Execute
Malware Distribution Server
ATTRIBUTION. Initial Access - Exploit
Click the Link
Send Spear Phishing Email
Victim
Malware Download &
Execute
Malware Distribution Server
Target IP Filtering
&
Redirect
Exploit Server
ATTRIBUTION. Initial Access - Exploit
View Internet Article
Target IP Filtering
&
Redirect
Victim
Exploit Server
Activate SW module
Malware Download &
Execute
Malware Distribution Server
ATTRIBUTION. Initial Access – Fully Targeted Attack
ATTRIBUTION. …
via Watering Hole and Financial Software
Long-standing work norms derived from historical practices
2024. 1. 25. THU
Dongwook Kim, Seulgi Lee
KrCERT/CC
Introduction
Dongwook Kim ([email protected])
Incident Analyst
KrCERT/CC
Seulgi Lee ([email protected])
Malware Analyst
KrCERT/CC
Short Review: Keywords Against RoK in 2023
Hacktivist
Supply Chain Attack
Financial Security Software
Short Review: Incident in a Financial Security S/W
Short Review: Incident in a Financial Security S/W
Targeted Attack
Startup program
(24/7)
Financial Security S/W
- Response Time
- Watering Hole
- IP Filtering
User (TARGET)
- Compatibility
Exploit Server
User
Internet Bank
User
ATTRIBUTION. Summary
•
Initial Access
•
Zero-day exploit code
•
Fully Targeted Attack
•
Command and Control: Web-based Command and Control Systems
•
Execution: Execute malwares via service (in netsvcs)
•
Persistence
•
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages → C:\Windows\System32\
ATTRIBUTION. Initial Access – Exploit
Access Community
Website
Fake License Server
Target IP Filtering
&
Redirect
Victim
Exploit Server
Install Fake License
Malware Download &
Execute
Malware Distribution Server
ATTRIBUTION. Initial Access - Exploit
Click the Link
Send Spear Phishing Email
Victim
Malware Download &
Execute
Malware Distribution Server
Target IP Filtering
&
Redirect
Exploit Server
ATTRIBUTION. Initial Access - Exploit
View Internet Article
Target IP Filtering
&
Redirect
Victim
Exploit Server
Activate SW module
Malware Download &
Execute
Malware Distribution Server
ATTRIBUTION. Initial Access – Fully Targeted Attack
ATTRIBUTION. …