WannaCry and Lazarus Group – the missing link?
Contents
A few hours ago, Neel Mehta, a researcher at Google posted a mysterious message on Twitter with the #WannaCryptAttribution hashtag:
The cryptic message in fact refers to a similarity between two samples that have shared code. The two samples Neel refers to in the post are:
- A WannaCry cryptor sample from February 2017 which looks like a very early variant
- A Lazarus APT group sample from February 2015
The similarity can be observed in the screenshot below, taken between the two samples, with the shared code highlighted:
So, what does it all mean? Here’s a few questions and answers to think about.
I know about Wannacry, but what is Lazarus?
We wrote about the Lazarus group extensively and presented together with our colleagues from BAE and SWIFT at the Kaspersky Security Analyst Summit (SAS 2017). See:
Among other things, the Lazarus group was responsible for the Sony Wiper attack, the Bangladesh bank heist and the DarkSeoul …
The cryptic message in fact refers to a similarity between two samples that have shared code. The two samples Neel refers to in the post are:
- A WannaCry cryptor sample from February 2017 which looks like a very early variant
- A Lazarus APT group sample from February 2015
The similarity can be observed in the screenshot below, taken between the two samples, with the shared code highlighted:
So, what does it all mean? Here’s a few questions and answers to think about.
I know about Wannacry, but what is Lazarus?
We wrote about the Lazarus group extensively and presented together with our colleagues from BAE and SWIFT at the Kaspersky Security Analyst Summit (SAS 2017). See:
Among other things, the Lazarus group was responsible for the Sony Wiper attack, the Bangladesh bank heist and the DarkSeoul …
IoC
9c7c7149387a1c79679a87dd1ba755bc
ac21c8ad899727137c4b94458d7aa8d8
https://twitter.com/neelmehta/status/864164081116225536
rule lazaruswannacry {
meta:
description = "Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta"
date = "2017-05-15"
reference = "https://twitter.com/neelmehta/status/864164081116225536"
author = "Kaspersky Lab"
version = "1.0"
hash = "9c7c7149387a1c79679a87dd1ba755bc"
hash = "ac21c8ad899727137c4b94458d7aa8d8"
strings:
$a1={
51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75
04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01
46 56 E8
}
$a2={
03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00
10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00
30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00
38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00
44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00
68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00
FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0
08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0
10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0
2B C0 2C C0 FF FE
}
condition:
((uint16(0) == 0x5A4D)) and (filesize < 15000000) and
all of them
}
ac21c8ad899727137c4b94458d7aa8d8
https://twitter.com/neelmehta/status/864164081116225536
rule lazaruswannacry {
meta:
description = "Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta"
date = "2017-05-15"
reference = "https://twitter.com/neelmehta/status/864164081116225536"
author = "Kaspersky Lab"
version = "1.0"
hash = "9c7c7149387a1c79679a87dd1ba755bc"
hash = "ac21c8ad899727137c4b94458d7aa8d8"
strings:
$a1={
51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75
04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01
46 56 E8
}
$a2={
03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00
10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00
30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00
38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00
44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00
68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00
FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0
08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0
10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0
2B C0 2C C0 FF FE
}
condition:
((uint16(0) == 0x5A4D)) and (filesize < 15000000) and
all of them
}