Is Lazarus Related to Russian-Speaking Threat Actors?

The breakthrough

Establishing the connection

• TrickBot is a privately-run Malware-as-a-Service (Maas) offering, which can be accessed by only top-tier threat actors.
• TA505 is a cybercriminal group that has purchased a huge number of tools from the underground.
• According to a report by LEXFO, past Lazarus infections have been spotted to coexist with TrickBot and Emotet.
• TA505 and Lazarus IOCs were found together in bank networks. Moreover, the PS post-intrusion scripts appertaining to Lazarus and TA505 have been discovered to be similar.
• According to a CISA alert, North Korea-based hackers may “be working with or contracting out to criminal hacking groups, like TA505, for initial access development.”

What they are saying

• Based on the different incidents, experts assess that there is a connection between Lazarus and Russian-speaking cybercriminals.
• TrickBot appears to possess a treasure trove of compromised accesses that Lazarus can definitely leverage.
• However, not enough information is available to decide if all TrickBot infections could point to Lazarus or only a subset of them.

The bottom line