APT Hackers Deploy Lazarus Malware to Attack Windows Machine Via a Supply-Chain-Attacks

Recently, the security experts of ESET has detected Lazarus malware as it was involved in new campaigns against the South Korean Supply Chain by stolen security documents. The experts also revealed the abuse of the certificates that have been stolen are belongs to two separate, authorized South Korean companies.

Lazarus, also identified as Hidden Cobra, it’s an umbrella title for elite threat groups. This group includes offshoot entities that are suspected of being attached to North Korea. 

Moreover, the experts also believed that it is liable for Sony’s infamous 2014 hack; not only this, but Lazarus has also been correlated to hacks that are using zero-day vulnerabilities, LinkedIn phishing messages, and also the deployment of Trojans in campaigns that includes Dacls and Trickbot. 

Lazarus Toolset and Supply-chain Attack

Lazarus group was initially recognized in February 2016, in Novetta’s report “Operation Blockbuster”; therefore, the US-CERT and the FBI named this group as HIDDEN COBRA. According to the security experts, these cybercriminals surged to influence with the infamous case of cybersabotage against Sony Pictures Entertainment.

Apart from this, the Lazarus toolset is extremely wide, and the security experts believe that there are various subgroups of this toolset. The toolsets are being used by some other cybercriminal groups, but none of the source code of any Lazarus tools has ever been published in a public leak.

In the Lazarus supply-chain attack, the South Korean internet users are often claimed to install additional security software when attending government or internet trading websites.

The chain consists of a WIZVERA VeraPort it is referred to as an integration installation plan; it is a South Korean application that assists in managing such extra security software. 

When the WIZVERA VeraPort gets installed on their devices, users receive and install all necessary software that are required by a specific website with VeraPort.

Malware Samples Delivered Using this Supply-chain attack

The samples that are delivered using the supply-chain attack are mentioned below:-

• Delfino.exe
• MagicLineNPIZ.exe

The attributions that are involved in this supply chain are mentioned below:-

• Community agreement: The modern attack is a sequence of what KrCERT has called Operation Book codes.
• Toolset characteristics and detection: The first dropper is a console application that requires parameters, and the final payload is a RAT module.
• Victimology: The Lazarus group has a plentiful history of attacks against victims in South Korea like Operation Troy.
• Network infrastructure: All the server-side techniques of web shells and the business of C&Cs are incorporated very precisely in KrCERT’s white paper.
• Eccentric approach:

• In intrusion methods – The unusual method of infiltration is a sign that it could be connected to a sophisticated way.
• In encryption methods – It has Spritz exception of RC4 in the watering hole attacks against Polish and Mexican banks.

Malware analysis

According to the ESET report, it is a common characteristic of many APT groups, particularly Lazarus, that they unleash their stockpile within various stages that perform as a cascade, from the dropper to the common products up to the definitive payloads.

Dropper, Loader, Downloader, and Module

• Dropper: It is an initial stage of the cascade, and in this one, can’t see any polymorphism or obfuscation in the code, and the dropper encapsulates three encrypted files in its resources.
• Loader: This is a Themida-protected file; in this, the experts estimate the version of Themida to be 2.0-2.5, which agrees with KrCERT’s report.
• Downloader: The main downloader is diminished by the Dropper element under the bcyp655.tlb name and inserted into one of the assistance by the Loader.
• Module: It is a RAT that consists of a set of typical characteristics adopted by the Lazarus group. All the commands include operations on the victim’s filesystem and the download of additional tools from the attacker’s arsenal.

The targeted web server requires to be configured in a specific way, and this malware delivery method has only been utilized in inadequate Lazarus operations. However, security experts are still investigating the whole matter and trying to bypass all the threats.

Indicators of Compromise (IoCs)

Detection names

Win32/NukeSped.HW
Win32/NukeSped.FO
Win32/NukeSped.HG
Win32/NukeSped.HI
Win64/NukeSped.CV
Win64/NukeSped.DH
Win64/NukeSped.DI
Win64/NukeSped.DK
Win64/NukeSped.EP

SHA-1 of signed samples

3D311117D09F4A6AD300E471C2FB2B3C63344B1D
3ABFEC6FC3445759730789D4322B0BE73DC695C7

SHA-1 of samples

5CE3CDFB61F3097E5974F5A07CF0BD2186585776
FAC3FB1C20F2A56887BDBA892E470700C76C81BA
AA374FA424CC31D2E5EC8ECE2BA745C28CB4E1E8
E50AD1A7A30A385A9D0A2C0A483D85D906EF4A9C
DC72D464289102CAAF47EC318B6110ED6AF7E5E4
9F7B4004018229FAD8489B17F60AADB3281D6177
2A2839F69EC1BA74853B11F8A8505F7086F1C07A
8EDB488B5F280490102241B56F1A8A71EBEEF8E3

Code signing certificate serial numbers

00B7F19B13DE9BEE8A52FF365CED6F67FA
4C8DEF294478B7D59EE95C61FAE3D965