An insight into the ever-evolving Lazarus threat actor group

• Ever since their first attack, which involved DDoS operations against various business entities, the group has managed to step up its attacks even further.
• The tools and capabilities used by this threat group include DDoS botnets, keyloggers, remote access tools (RATs) and wiper malware.

Lazarus or Hidden Cobra is a prolific threat actor group which has been active for over a decade. The notorious hacker group, which is believed to be based out at North Korea, has been active since at least 2009 and has been involved in several attacks, such as the 2014 Sony attack, 2016 Bangladesh bank heist, and the 2017 WannaCry ransomware attack.

Operation Blockbuster traced the first traces of Lazarus activity in 2009 when the group was held responsible for the large-scale denial of service attacks on the US and South Korean websites.

Primary targets and operations

Ever since their first attack, which involved DDoS operations against various business entities, the group has managed to step up their attacks even further. The threat actor has carried out several massive cyberespionage operations, most of which involve either disruption, sabotage or financial theft. Recently, the group has been expanding its attack targeting cryptocurrency exchanges.

Lazarus hackers leverage their capabilities to target and compromise a range of victims, with some intrusions resulting in the exfiltration of data. Tools and capabilities used by this actor group include DDoS botnets, keyloggers, remote access tools (RATs) and wiper malware.

Modus Operandi

Instead of following a single, identifiable attack technique, the group carries out the attacks based on where and what its next target is located. Most of their attacks involve a combination of custom malware and insider knowledge. In many cases, the attackers were found actively re-using code or borrowing fragments of code from old malicious programs.

While analyzing artifacts from different attacks, researchers at Kaspersky Labs discovered that Lazarus uses droppers that kept their malicious payloads within a password-protected ZIP archive.

“The password for archives used in different campaigns was the same and was hardcoded inside the dropper. The password protection was implemented in order to prevent automated systems from extracting and analyzing the payload, but in reality, it just helped researchers to identify the group” Kaspersky researchers said.

In addition, the group was also found using a special technique to wipe traces of its malicious activities and evade detection by anti-virus software programs.

“As we predicted, the number of wiper attacks grows steadily. This kind of malware proves to be a highly effective type of cyber-weapon. The power to wipe thousands of computers at the push of a button represents a significant bounty to a Computer Network Exploitation team tasked with disinformation and the disruption of a target enterprise.

“Its value as part of hybrid warfare, where wiper attacks are coupled with kinetic attacks to paralyze a country’s infrastructure remains an interesting thought experiment closer to reality than we can be comfortable with. Together with our industry partners, we are proud to put a dent in the operations of an unscrupulous actor willing to leverage these devastating techniques,” said Juan Gurerrero, a senior security researcher at Kaspersky Lab.

Tactics, Techniques and Procedures (TTPs)

The threat actor has been known for using a wide variety of malware, with some improvisation over time. Some of its TTPs include:

• Masquerading the malware as TLS during C2 communication to thwart network controls;
• Using compromised servers for communication;
• Using spearphishing, often with malware attached in a Zip file;
• Employing P2P communication between the infected machine and CnC;
• Deploying legitimate tools during breach operations;
• Preferring IP addresses over Domain names for C2 communication;
• Sometimes employing DDoS attacks as a primary attack.

The Lazarus group has been suspected as a mastermind behind several attacks and continues to spread its scope of attack over the years. Recently, a report by Group IB noted that the threat actors have stolen as much as $571 million worth of cryptocurrencies in 14 different attacks, indicating that the hacker group’s attacks are likely aimed at obtaining funds for the impoverished and sanctions-inundated North Korean regime.