Lazarus Group’s Undercover Operations : Large-Scale Infection Campaigns 2022-2023
2023-08-28,
KRCERT
https://conference.hitb.org/hitbsecconf2023hkt/materials/D1T2%20-%20Lazarus%20Groups%20Undercover%20Operations%20-%20Large-Scale%20Infection%20Campaigns%202022%20%e2%80%93%202023%20-%20Lee%20Taewoo,%20Seulgi%20Lee,%20Dongwook%20Kim.pdf
D1T220-20Lazarus20Groups20Undercover20Operations20-20Large-Scale20_tO1DZLd.pdf, 7.5 MB
#DreamJob #GoldGoblin #FALLCHILL #Slides #BookCodes
https://conference.hitb.org/hitbsecconf2023hkt/materials/D1T2%20-%20Lazarus%20Groups%20Undercover%20Operations%20-%20Large-Scale%20Infection%20Campaigns%202022%20%e2%80%93%202023%20-%20Lee%20Taewoo,%20Seulgi%20Lee,%20Dongwook%20Kim.pdf
D1T220-20Lazarus20Groups20Undercover20Operations20-20Large-Scale20_tO1DZLd.pdf, 7.5 MB
#DreamJob #GoldGoblin #FALLCHILL #Slides #BookCodes
Contents
Lazarus Group’s
Undercover Operations
: Large-Scale Infection
Campaigns 2022-2023
Seulgi Lee
Dongwook Kim
Taewoo Lee
KrCERT/CC
CONTENTS
- Introduction
- Summary
- Key Findings
- Background
- Worth & Meaning
- Incidents
- Malicious Code Analysis
- Attribution & Conclusions
- Q&A
2
Introduction (Presenters)
Taewoo Lee (Malware Analyst)
Seulgi Lee (Malware Analyst)
Dongwook Kim (Incident Analyst)
3
Summary
•
prerequisite: exploit code, reconnaissance, compromised press server
•
Initial Access → Lateral Movement → Exfiltrate Data
Page access news
Compromised
Press page
Watering Hole
Check Target &
Exploit financial security program
Press
C2
Download Malware
Command Control
&
Data Exfiltration
Internal Network
Internet Network
Malware Infection
Network Scanning
Compromised host
(Proxy farm)
Command Control
&
Data Exfiltration
Lateral Movement
Using financial Security Program Exploit
Establish Foothold
Malware Infection
Network Scanning
4
Key Findings 1. Domino effect
Attacking software developers by abusing previously stolen source code
START
Company
Source code
Exfiltrate
0110101101011
1011010001101
1000101101100
0110110010101
Resource
Deveopment
Exploit code
Exploit
0110101101011
1011010001101
1000101101100
0110110010101
5
Key Findings 1. Domino effect
Target X
...
Target O
Target X
Target X
Target O
Target X
Initial
Access
Target X
Target O
Injecting subsequent media websites, beginning with the first penetrated media website
6
Key Findings 2. Inevitable daily life
ㅁㅈ = Enjoy your lunch
Target
ME
CLICK!
Compromised Press
is Target?
7
Background. Internet Banking in Korea (Abstract)
Bank Alpha
User A
User B
Bank Beta
S/W Development
User C
User D
8
User E
Background. Internet Banking in Korea (Abstract)
Bank Alpha
User …
Undercover Operations
: Large-Scale Infection
Campaigns 2022-2023
Seulgi Lee
Dongwook Kim
Taewoo Lee
KrCERT/CC
CONTENTS
- Introduction
- Summary
- Key Findings
- Background
- Worth & Meaning
- Incidents
- Malicious Code Analysis
- Attribution & Conclusions
- Q&A
2
Introduction (Presenters)
Taewoo Lee (Malware Analyst)
Seulgi Lee (Malware Analyst)
Dongwook Kim (Incident Analyst)
3
Summary
•
prerequisite: exploit code, reconnaissance, compromised press server
•
Initial Access → Lateral Movement → Exfiltrate Data
Page access news
Compromised
Press page
Watering Hole
Check Target &
Exploit financial security program
Press
C2
Download Malware
Command Control
&
Data Exfiltration
Internal Network
Internet Network
Malware Infection
Network Scanning
Compromised host
(Proxy farm)
Command Control
&
Data Exfiltration
Lateral Movement
Using financial Security Program Exploit
Establish Foothold
Malware Infection
Network Scanning
4
Key Findings 1. Domino effect
Attacking software developers by abusing previously stolen source code
START
Company
Source code
Exfiltrate
0110101101011
1011010001101
1000101101100
0110110010101
Resource
Deveopment
Exploit code
Exploit
0110101101011
1011010001101
1000101101100
0110110010101
5
Key Findings 1. Domino effect
Target X
...
Target O
Target X
Target X
Target O
Target X
Initial
Access
Target X
Target O
Injecting subsequent media websites, beginning with the first penetrated media website
6
Key Findings 2. Inevitable daily life
ㅁㅈ = Enjoy your lunch
Target
ME
CLICK!
Compromised Press
is Target?
7
Background. Internet Banking in Korea (Abstract)
Bank Alpha
User A
User B
Bank Beta
S/W Development
User C
User D
8
User E
Background. Internet Banking in Korea (Abstract)
Bank Alpha
User …