US Federal Authorities Dissect Malicious Activities of Six Malware Associated with Lazarus Group

• Lazarus has been linked to multiple high profile attacks that have caused infrastructure disruptions and financial losses.
• Some of the notable attacks include the 2014 attack on a major entertainment company and the 2016 Bangladeshi heist that netted nearly $1 billion for the attackers.

The United States’ Cybersecurity and Infrastructure Security Agency (CISA) along with the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI) and the Department of Defense (DoD) have released multiple malware analysis reports that are associated with the North Korean state-sponsored Lazarus threat actor group.

Background of the Lazarus group

Lazarus, also called Hidden Cobra, has been linked to multiple high profile attacks that have caused infrastructure disruptions and financial losses. Some of the notable attacks include the 2014 attack on a major entertainment company and the 2016 Bangladeshi heist that netted nearly $1 billion for the attackers.

The infamous WannaCry ransomware attack, which resulted in the massive disruptions and damage worldwide to numerous organizations, was also the output of the prolific Lazarus hacker group.

An analysis of Lazarus' malware

The names associated with the malware report from CISA are:

• HOPLIGHT
• BISTROMATH
• SLICKSHOES
• CROWDEDFLOUNDER
• HOTCROISSANT
• ARTFULPIE
• BUFFETLINE

HOPLIGHT - Around 27 malicious files related to the malware have been cited in the report. Most of these files are Windows-specific portable executable files and some data files. These include a combination of backdoor Trojans, droppers, info stealers, credential harvesters, remote access Trojans/tool (RAT), and artifact files.

BISTROMATH - A multiple variants of the RAT that can perform simple XOR network encoding has been reported by CISA. The malware’s features include various surveillance options such as performing system scans, uploading/downloading files, executing processes and commands, and monitoring the microphone, clipboard & screen.

SLICKSHOES - It is dropper file designed to drop a Themida-packed beacon file.

“The dropped beaconing implant uses a network encoding algorithm and is capable of many functions, including conducting system surveys, file upload/download, process and command execution, and screen captures, all similar to a functional RAT,” explains Fortinet researchers in a blogpost.

CROWDEDFLOUNDER - It is a 32-bit Windows PE file that comes in the form of Themida. Once installed, it will unpack and execute a RAT binary in memory. Researchers highlight that, “It can receive incoming connections by actively listening as a proxy while also receiving commands. It can also connect remotely to another server to receive commands.”

HOTCROISSANT - The sample performs custom XOR network encoding and is capable of exfiltrating data from the victim machine to a predefined C2 server. It can steal a wide range of machine information such as usernames, administrator information, IP addresses, Windows OS information, processor name, screen resolution, and physical RAM.

ARTFULPIE - This sample’s capabilities include downloading and performing DLL execution in memory.

BUFFETLINE - The malware uses custom XOR encryption to evade detection. Furthermore, it can download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.