CyberThreatIntel/North Korea/APT/Lazarus/23-10-19/analysis.md
2019-11-08 14:50:58 +01:00

15 KiB

A Look into the Lazarus Group's Operations in October 2019

Table of Contents

Malware analysis

The next analysis try to kept the recents events and a logicial improvement and technics of the group, this can go back in the past for compare it.

CES 2020 incident (NukeSped)

We can see that the document target specifily the south korean exhibitors with the follow tittle "Application form for American Las Vegas CES 2020"

alt text

This initial vector of the infection begin by a current exploit in HWP (CVE-2015-6585) to execute an EPS script, this download and execute the next stage of the infection.

alt text

This execute fisrtly a common trick RtlCaptureContext for have ability to register a top-level exception handler and avoid debbuging.

alt text

Once this done, the malware execute a series of actions like list the disks, process, files and push it in differents files as temp file in waiting to send the data to C2.

alt text alt text alt text

alt text

This push the list of C2 address to contact, the languages to understand and begin the contact with the C2 in giving the host info.

alt text alt text

List of the languages used :
RFC4646/ISO 639 Ref Lang
Az-Arab Azerbaijani in Arabic script
de-CH Swiss German
en-US English as used in the United States
Interesting to see that not only south korea language is choisen and show that the group target all exhibitors (more a hundred exhibitors only for South Korea). This think possibly that the group manage the event give hardware specifily for the shows to the customers, that explains why this to don't include specific language like South Korea. If the target is interesting for the group, this can execute command and others tools in the computer infected.
We can see in the list of all the domains used that this all as different cloud providers and are legit website hijacked by vulnerable wordpress.
IP ASN Organization Route City Coordinates Country
64.151.229.52 AS26753 In2net Network Inc. 64.151.192.0/18 Toronto 43.6861,-79.4025 Canada
185.136.207.217 AS203377 LAB internet ve Bilisim Hizmetleri 185.136.207.0/24 Eskiehir 39.7767,30.5206 Turkey
83.169.17.240 AS8972 Europe GmbH 83.169.16.0/21 Köln 50.9541,6.9103 Germany
We can confirmed it by the Whois records and by the certificats push on the websites know at all the sites have between up early August 2019 at September 2019.

alt text alt text

HAL incident (JakyllHyde)

The document specifically target the Hindustan Aeronautics Limited company (HAL) that the national aeronautics in India. This use false announcements for recruitment for target probably interesting profile or internal employees in asking for their opinion about announcements.

alt text

The attack vector is an maldoc which use a macro for drop and execute the implant. The first bloc is a declaration of function for load the future extracted dll.

alt text

The next bloc have multiple functions like decode from the base 64 in binary and string, verify the path of folder/file, create a folder and extract the correct payload from the form in maldoc according to the OS.

alt text

The following bloc have extraction functions (drop the lure) and for get the name of the lure and the dll.

alt text

We can see the autoopen function for execute the macro at the opening of the document and the data of the malware in base 64.

alt text alt text

The backdoor begins to do the reconnaissance actions like list the process,system informations(Username, ComputerName ...)

alt text alt text

After this list all the disks on the computer and all the files in current working directories in waiting the order of the C2.

alt text alt text

This have the possibility to intercepts keystrokes (push it in temporary file), make screenshots, send interesting files by stream of bytes data.

alt text alt text alt text

If the attacker wants this can push and remove the persistence performed by a Startup key.

alt text alt text alt text

The backdoor contact the following IP :
IP ASN Organization Route City Coordinates Country
193.70.64.163 AS16276 thetiscloud.it 193.70.0.0/17 San Donato Milanese 45.4105,9.2684 Italy
By the certificates, we can see that the website is up since 2018, seems be a legit website hijacked.

alt text

Like the last incident, Lazarus group try to get high technologies, this possible that the interest is the fact that HAL is in cooperation for product and use the new french militairy aircraft (Rafale) in the India country.

OSX Malwares (OSX.Yort)

The initial vector of the infection is a maldoc with a VBA macro, this have two sections one for infected MacOSX and one for Windows. We can see the declaration of the functions for MacOSX and one of four splitted functions for get the payload on the Windows version

alt text

Here, we can observe the initiation of the payloads according with the OS in the AutoOpen (Run a macro when Excel or Word document is open).

alt text

The backdoor consists of a single loop which creates a session for waiting the orders of the C2.

alt text alt text

Many functions for send and get data are derived of a common based code with a specific action as perform at the final.

alt text

Foreach, this initiate and push the paramerters for communicate with the C2.

alt text alt text

This can reply to the C2 like a pulse for alert at is still up (ReplyDie), download a file (ReplyDown), download and execute a file (ReplyExec), execute a command (Replycmd) or open another CLI (ReplyOtherShellCmd).

alt text alt text alt text alt text alt text

We can see on the data pushed on the C2 that a xor is performed with the "0xAA" value.

alt text alt text

Cyber kill chain

The process graphs resume all the cyber kill chains used by the attacker.

alt text

References MITRE ATT&CK Matrix

List of all the references with MITRE ATT&CK Matrix
Enterprise tactics Technics used Ref URL

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)
Indicator Description
This can be exported as JSON format Export in JSON
Original tweet:
External analysis:
Ressources :