Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections
Contents
After initial research on Lazarus APT – a well-known, state-sponsored threat actor – was published, the group has continued to gain widespread attention both in the industry and the media, as a result of their high profile and highly sophisticated threat activities. Unlike other state-sponsored threat actors, they have various motives for their cyber attacks. In the beginning, they had a relatively small malware cluster and few cyber attack capabilities. However, their modus operandi made a major leap in sophistication beginning in 2018. Several malware clusters started to spin-off from the original malware and developed independently. Based on the characteristics of these clusters, we cluster them together in various groups: ThreatNeedle, DeathNote, Bookcode, MATA, AppleJeus, CookieTime, etc.
These clusters still contain overlaps in their modi operandi. Some clusters heavily reuse the same source code, and some clusters use the same final-stage malware even though they use different infection methods. However, we …
These clusters still contain overlaps in their modi operandi. Some clusters heavily reuse the same source code, and some clusters use the same final-stage malware even though they use different infection methods. However, we …