Update analysis.md
This commit is contained in:
parent
c8839a0f6e
commit
ccc0a393c7
@ -1,18 +1,30 @@
|
|||||||
# A Look into the Lazarus Group's Operations in October 2019
|
# A Look into the Lazarus Group's Operations in October 2019
|
||||||
## Table of Contents
|
## Table of Contents
|
||||||
* [Malware analysis](#Malware-analysis)
|
* [Malware analysis](#Malware-analysis)
|
||||||
|
+ [CES 2020 incident (NukeSped)](#CES2020)
|
||||||
|
+ [HAL incident (JakyllHyde)](#HAL)
|
||||||
|
+ [OSX Malwares (OSX.Yort)](#OSX)
|
||||||
|
+ [Powershell Backdoor (PowerShell/NukeSped)](#Power)
|
||||||
|
+ [Nuclear's plant incident (DTrack)](#Dtrack)
|
||||||
* [Cyber kill chain](#Cyber-kill-chain)
|
* [Cyber kill chain](#Cyber-kill-chain)
|
||||||
* [Indicators Of Compromise (IOC)](#IOC)
|
* [Indicators Of Compromise (IOC)](#IOC)
|
||||||
|
+ [CES 2020 incident (NukeSped)](#IOC-CES)
|
||||||
|
+ [HAL incident (JakyllHyde)](#IOC-HAL)
|
||||||
|
+ [OSX Malwares (OSX.Yort)](#IOC-OSX)
|
||||||
|
+ [Powershell Backdoor (PowerShell/NukeSped)](#IOC-Power)
|
||||||
|
+ [Nuclear's plant incident (DTrack)](#IOC-DTrack)
|
||||||
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
|
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
|
||||||
|
* [Knowledge Graph](#Knowledge)
|
||||||
* [Links](#Links)
|
* [Links](#Links)
|
||||||
+ [Original Tweet](#Original-Tweet)
|
+ [Originals Tweets](#Original-Tweet)
|
||||||
+ [Link Anyrun](#Links-Anyrun)
|
+ [Link Anyrun](#Links-Anyrun)
|
||||||
+ [External analysis](#Analysis)
|
+ [External analysis](#Analysis)
|
||||||
|
+ [Ressources](#Ressources)
|
||||||
|
|
||||||
<h2> Malware analysis <a name="Malware-analysis"></a></h2>
|
<h2>Malware analysis <a name="Malware-analysis"></a></h2>
|
||||||
<h6>The next analysis tries to keep the recent events and a logical improvement and technics of the group, this could go back in the past for comparing it.</h6>
|
<h6>The next analysis tries to keep the recent events and a logical improvement and technics of the group, this could go back in the past for comparing it.</h6>
|
||||||
<h3> CES 2020 incident (NukeSped)</h3>
|
<h3>CES 2020 incident (NukeSped)</h3><a name="CES2020"></a>
|
||||||
<h6> We can see that the document target specifically the south korean exhibitors with the following tittle "Application form for American Las Vegas CES 2020"</h6>
|
<h6>We can see that the document target specifically the south korean exhibitors with the following tittle "Application form for American Las Vegas CES 2020"</h6>
|
||||||
<p align="center">
|
<p align="center">
|
||||||
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/HWP/Doc.PNG" >
|
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/HWP/Doc.PNG" >
|
||||||
</p>
|
</p>
|
||||||
@ -68,16 +80,16 @@
|
|||||||
<p align="center">
|
<p align="center">
|
||||||
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/HWP/HWP-whois.png">
|
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/HWP/HWP-whois.png">
|
||||||
</p>
|
</p>
|
||||||
<h3> HAL incident (JakyllHyde)</h3>
|
<h3>HAL incident (JakyllHyde)</h3><a name="HAL"></a>
|
||||||
<h6> The document specifically targets the Hindustan Aeronautics Limited Company (HAL) that the national aeronautics in India. This use false announcements for recruitment for targets probably interesting profile or internal employees in asking for their opinion about announcements.</h6>
|
<h6>The document specifically targets the Hindustan Aeronautics Limited Company (HAL) that the national aeronautics in India. This use false announcements for recruitment for targets probably interesting profile or internal employees in asking for their opinion about announcements.</h6>
|
||||||
<p align="center">
|
<p align="center">
|
||||||
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/27-10-19/Maldoc_cover.png">
|
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/27-10-19/Maldoc_cover.png">
|
||||||
</p>
|
</p>
|
||||||
<h6> The attack vector is an maldoc which use a macro for drop and execute the implant. The first bloc is a declaration of function for load the future extracted dll.</h6>
|
<h6>The attack vector is an maldoc which use a macro for drop and execute the implant. The first bloc is a declaration of function for load the future extracted dll.</h6>
|
||||||
<p align="center">
|
<p align="center">
|
||||||
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/27-10-19/Maldoc_VBA_1.png">
|
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/27-10-19/Maldoc_VBA_1.png">
|
||||||
</p>
|
</p>
|
||||||
<h6> The next bloc has multiple functions like decode from the base 64 in binary and string, verify the path of the folder/file, create a folder and extract the correct payload from the form in maldoc according to the OS.</h6>
|
<h6>The next bloc has multiple functions like decode from the base 64 in binary and string, verify the path of the folder/file, create a folder and extract the correct payload from the form in maldoc according to the OS.</h6>
|
||||||
<p align="center">
|
<p align="center">
|
||||||
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/27-10-19/Maldoc_VBA_2.png">
|
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/27-10-19/Maldoc_VBA_2.png">
|
||||||
</p>
|
</p>
|
||||||
@ -138,7 +150,7 @@
|
|||||||
</p>
|
</p>
|
||||||
<h6>Like the last incident, Lazarus group try to get high technologies, this possible that the interest is the fact that HAL is in cooperation for product and use the new french military aircraft (Rafale) in the India country.</h6>
|
<h6>Like the last incident, Lazarus group try to get high technologies, this possible that the interest is the fact that HAL is in cooperation for product and use the new french military aircraft (Rafale) in the India country.</h6>
|
||||||
|
|
||||||
<h3> OSX Malwares (OSX.Yort) </h3>
|
<h3>OSX Malwares (OSX.Yort)</h3><a name="OSX"></a>
|
||||||
<h6>The initial vector of the infection is a maldoc with a VBA macro, this has two sections one for infected MacOSX and one for Windows. We can see the declaration of the functions for MacOSX and one of four spitted functions for getting the payload on the Windows version.</h6>
|
<h6>The initial vector of the infection is a maldoc with a VBA macro, this has two sections one for infected MacOSX and one for Windows. We can see the declaration of the functions for MacOSX and one of four spitted functions for getting the payload on the Windows version.</h6>
|
||||||
<p align="center">
|
<p align="center">
|
||||||
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/march%202019/Maldoc-VBA-1.PNG">
|
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/march%202019/Maldoc-VBA-1.PNG">
|
||||||
@ -222,8 +234,8 @@
|
|||||||
<p align="center">
|
<p align="center">
|
||||||
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/27-10-19-Maldoc2/Mal_option.png">
|
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/27-10-19-Maldoc2/Mal_option.png">
|
||||||
</p>
|
</p>
|
||||||
<h3> Powershell Backdoor (PowerShell/NukeSped)</h3>
|
<h3>Powershell Backdoor (PowerShell/NukeSped)</h3><a name="Power"></a>
|
||||||
<h6> Now, see the Windows version, this use Powershell language for the backdoor, the first bloc of the malware is the global values for the configuration, list of URL to contact and control values.</h6>
|
<h6>Now, see the Windows version, this use Powershell language for the backdoor, the first bloc of the malware is the global values for the configuration, list of URL to contact and control values.</h6>
|
||||||
|
|
||||||
``` powershell
|
``` powershell
|
||||||
$global:breakvalue=1
|
$global:breakvalue=1
|
||||||
@ -831,7 +843,7 @@ function PulsetoC2($rid)
|
|||||||
|craypot.live|23.227.199.96|AS35017|Swiftway Communications, Inc|23.227.192.0/21 |Chicago|41.8500,-87.6500|United States|
|
|craypot.live|23.227.199.96|AS35017|Swiftway Communications, Inc|23.227.192.0/21 |Chicago|41.8500,-87.6500|United States|
|
||||||
|indagator.club|185.236.203.211|AS9009|M247 LTD Copenhagen Infrastructure|185.236.203.0/24|Ballerup|55.7317,12.3633|Denmark|
|
|indagator.club|185.236.203.211|AS9009|M247 LTD Copenhagen Infrastructure|185.236.203.0/24|Ballerup|55.7317,12.3633|Denmark|
|
||||||
|
|
||||||
<h3> Nuclear's plant incident (DTrack)</h3>
|
<h3>Nuclear's plant incident (DTrack)</h3><a name="Dtrack"></a>
|
||||||
<h6>On the stings, we can observe a function timestamp who return a date of the version, this is an of the sqllite version of the C libraries (3.21), this can be a reuse code of one of the stealers of the group for a new stealer.</h6>
|
<h6>On the stings, we can observe a function timestamp who return a date of the version, this is an of the sqllite version of the C libraries (3.21), this can be a reuse code of one of the stealers of the group for a new stealer.</h6>
|
||||||
<p align="center">
|
<p align="center">
|
||||||
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/29-10-19/SQLite-Version-string.PNG">
|
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/29-10-19/SQLite-Version-string.PNG">
|
||||||
@ -900,7 +912,7 @@ function PulsetoC2($rid)
|
|||||||
|
|
||||||
<h2> References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a></h2>
|
<h2> References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a></h2>
|
||||||
<h6> List of all the references with MITRE ATT&CK Matrix</h6>
|
<h6> List of all the references with MITRE ATT&CK Matrix</h6>
|
||||||
<h3>CES 2020</h3>
|
<h3>CES 2020</h3><a name="IOC-CES"></a>
|
||||||
|
|
||||||
|Enterprise tactics|Technics used|Ref URL|
|
|Enterprise tactics|Technics used|Ref URL|
|
||||||
| :---------------: |:-------------| :------------- |
|
| :---------------: |:-------------| :------------- |
|
||||||
@ -911,7 +923,7 @@ function PulsetoC2($rid)
|
|||||||
|Discovery|T1010 - Application Window Discovery<br/>T1082 - System Information Discovery<br/>T1124 - System Time Discovery|https://attack.mitre.org/wiki/Technique/T1010<br/>https://attack.mitre.org/wiki/Technique/T1082<br/>https://attack.mitre.org/wiki/Technique/T1124|
|
|Discovery|T1010 - Application Window Discovery<br/>T1082 - System Information Discovery<br/>T1124 - System Time Discovery|https://attack.mitre.org/wiki/Technique/T1010<br/>https://attack.mitre.org/wiki/Technique/T1082<br/>https://attack.mitre.org/wiki/Technique/T1124|
|
||||||
|Collection|T1115 - Clipboard Data|https://attack.mitre.org/wiki/Technique/T1115|
|
|Collection|T1115 - Clipboard Data|https://attack.mitre.org/wiki/Technique/T1115|
|
||||||
|
|
||||||
<h3> HAL </h3>
|
<h3> HAL</h3><a name="IOC-HAL"></a>
|
||||||
|
|
||||||
|Enterprise tactics|Technics used|Ref URL|
|
|Enterprise tactics|Technics used|Ref URL|
|
||||||
| :---------------: |:-------------| :------------- |
|
| :---------------: |:-------------| :------------- |
|
||||||
@ -920,7 +932,7 @@ function PulsetoC2($rid)
|
|||||||
|Defense Evasion|Rundll32|https://attack.mitre.org/techniques/T1085|
|
|Defense Evasion|Rundll32|https://attack.mitre.org/techniques/T1085|
|
||||||
|Discovery|Query Registry|https://attack.mitre.org/techniques/T1012|
|
|Discovery|Query Registry|https://attack.mitre.org/techniques/T1012|
|
||||||
|
|
||||||
<h3> Powershell backdoor </h3>
|
<h3> Powershell backdoor </h3><a name="IOC-Power"></a>
|
||||||
|
|
||||||
|Enterprise tactics|Technics used|Ref URL|
|
|Enterprise tactics|Technics used|Ref URL|
|
||||||
| :---------------: |:-------------| :------------- |
|
| :---------------: |:-------------| :------------- |
|
||||||
@ -931,7 +943,7 @@ function PulsetoC2($rid)
|
|||||||
|Command And Control|Data Encoding|https://attack.mitre.org/techniques/T1132/|
|
|Command And Control|Data Encoding|https://attack.mitre.org/techniques/T1132/|
|
||||||
|Exfiltration|Data Encrypted|https://attack.mitre.org/techniques/T1022/|
|
|Exfiltration|Data Encrypted|https://attack.mitre.org/techniques/T1022/|
|
||||||
|
|
||||||
<h3> MacOS backdoor </h3>
|
<h3> MacOS backdoor </h3><a name="IOC-OSX"></a>
|
||||||
|
|
||||||
|Enterprise tactics|Technics used|Ref URL|
|
|Enterprise tactics|Technics used|Ref URL|
|
||||||
| :---------------: |:-------------| :------------- |
|
| :---------------: |:-------------| :------------- |
|
||||||
@ -942,7 +954,7 @@ function PulsetoC2($rid)
|
|||||||
|Command And Control|Data Encoding|https://attack.mitre.org/techniques/T1132/|
|
|Command And Control|Data Encoding|https://attack.mitre.org/techniques/T1132/|
|
||||||
|Exfiltration|Data Encrypted|https://attack.mitre.org/techniques/T1022/|
|
|Exfiltration|Data Encrypted|https://attack.mitre.org/techniques/T1022/|
|
||||||
|
|
||||||
<h3>DTrack</h3>
|
<h3>DTrack</h3><a name="IOC-DTrack"></a>
|
||||||
|
|
||||||
|Enterprise tactics|Technics used|Ref URL|
|
|Enterprise tactics|Technics used|Ref URL|
|
||||||
| :---------------: |:-------------| :------------- |
|
| :---------------: |:-------------| :------------- |
|
||||||
@ -1031,13 +1043,13 @@ function PulsetoC2($rid)
|
|||||||
<h6> This can be exported as JSON format <a href="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Json/Others_Dtrack.json">Export in JSON</a></h6>
|
<h6> This can be exported as JSON format <a href="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Json/Others_Dtrack.json">Export in JSON</a></h6>
|
||||||
<h2>Yara Rules<a name="Yara"></a></h2>
|
<h2>Yara Rules<a name="Yara"></a></h2>
|
||||||
<h6> A list of YARA Rule is available <a href="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/YARA_Rule_Lazarus_October_2019.yar">here</a></h6>
|
<h6> A list of YARA Rule is available <a href="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/YARA_Rule_Lazarus_October_2019.yar">here</a></h6>
|
||||||
<h2>Knowledge Graph<a name="Knowledge"></a></h2>
|
<h2>Knowledge Graph<a name="Knowledge"></a></h2><a name="Know"></a>
|
||||||
<h6>The following diagram shows the relationships of the techniques used by the groups and their corresponding malware:</h6>
|
<h6>The following diagram shows the relationships of the techniques used by the groups and their corresponding malware:</h6>
|
||||||
<p align="center">
|
<p align="center">
|
||||||
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/CTI.png">
|
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/Lazarus/23-10-19/Analysis/CTI.png">
|
||||||
</p>
|
</p>
|
||||||
<h2>Links <a name="Links"></a></h2>
|
<h2>Links <a name="Links"></a></h2>
|
||||||
<h6> Originals tweets: </h6>
|
<h6> Originals tweets: </h6><a name="tweet"></a>
|
||||||
|
|
||||||
* [https://twitter.com/RedDrip7/status/1186562944311517184](https://twitter.com/RedDrip7/status/1186562944311517184) <a name="Original-Tweet"></a>
|
* [https://twitter.com/RedDrip7/status/1186562944311517184](https://twitter.com/RedDrip7/status/1186562944311517184) <a name="Original-Tweet"></a>
|
||||||
* [https://twitter.com/Rmy_Reserve/status/1188235835956551680](https://twitter.com/Rmy_Reserve/status/1188235835956551680)
|
* [https://twitter.com/Rmy_Reserve/status/1188235835956551680](https://twitter.com/Rmy_Reserve/status/1188235835956551680)
|
||||||
@ -1061,7 +1073,7 @@ function PulsetoC2($rid)
|
|||||||
* [Analysis of Powershell malware of Lazarus group](https://blog.alyac.co.kr/2388)
|
* [Analysis of Powershell malware of Lazarus group](https://blog.alyac.co.kr/2388)
|
||||||
* [Cryptocurrency businesses still being targeted by Lazarus](https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/)
|
* [Cryptocurrency businesses still being targeted by Lazarus](https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/)
|
||||||
|
|
||||||
<h6> Ressources : </h6>
|
<h6> Ressources : </h6><a name="Ressources"></a>
|
||||||
|
|
||||||
* [List of South Korea exhibitors in CES2020](https://www.ces.tech/Show-Floor/Exhibitor-Directory.aspx?searchTerm=&sortBy=country&filter=South%20Korea)
|
* [List of South Korea exhibitors in CES2020](https://www.ces.tech/Show-Floor/Exhibitor-Directory.aspx?searchTerm=&sortBy=country&filter=South%20Korea)
|
||||||
* [North Korea's Kimsuky Group informations](https://twitter.com/issuemakerslab/status/1123291956333834244)
|
* [North Korea's Kimsuky Group informations](https://twitter.com/issuemakerslab/status/1123291956333834244)
|
||||||
|
Loading…
Reference in New Issue
Block a user