ENGLISH
ENGLISH




30.05.2017

LAZARUS ARISEN

ARCHITECTURE / TOOLS / ATTRIBUTION
Group-IB reveals the unknown details of attacks from one of the most notorious APT groups: sophisticated espionage and APT techniques of the North Korean state-sponsored hackers
The North Korean hacker group named Lazarus has spied on the ideological enemies of the regime – state institutions and private corporations in the United States and South Korea – for years. Now Lazarus attacks banks and financial institutions around the world. Investigating not only the malicious code, but also the complex three-layer infrastructure of Lazarus, their encrypted channels and obfuscation tools, Group-IB reveals the previously unknown details of cyberattacks from one of the most notorious APT groups.

Download the full report>>>
There are two points of interest in the Potonggang district of Pyongyang – the National Defence Commission of the Democratic People's Republic of Korea (NDC) and the unfinished 105-storey Ryugyong Hotel. Both facilities are restricted for foreigners. The IPs identified in Group-IB's investigation refer to this area, we are unaware of other organisations or locations of interest and given the closed nature of the North Korean state cannot attribute further..
The Lazarus (aka DarkSeoul group) is allegedly controlled by Bureau 121, a division of the Reconnaissance General Bureau, a North Korean intelligence agency. Bureau 121 is responsible for conducting military cyber campaigns.
Lazarus is known to have specialized in DDoS attacks and corporate breaches targeting government, military, and aerospace institutions worldwide. Now that global economic pressure on North Korea has increased, Lazarus has shifted their focus to international financial organizations to conduct money thefts and espionage.

The most large-scale attack happened in February 2016, when hackers tried to steal about $1bln from the Central Bank of Bangladesh by exploiting weaknesses in the bank's security to infiltrate its system and gain access to computers with access to the SWIFT network. Due to a mistake in the payment document, the attackers managed to steal only $81 million. In March 2017, FBI and NSA officials publicly confirmed for the first time that Pyongyang was likely behind the attack on the Bangladeshi Central Bank.

In February 2017, several Polish banks were compromised.

Security researchers analysed the malware code, chiefly using this to attribute activity to Lazarus group. As tools are often reused by different groups, while helpful, malware analysis does not provide conclusive evidence of attribution.
Evolution of Lazarus
The major operations of the North Korean hacker group from 2009 to 2016
1
Troy operation
Period: 2009-2012
Target: cyber espionage against armed forces and governmental bodies of South Korea, sabotage.
Method: hacking websites, stealing information, DDoS-attacks.
2
DarkSeoul operation
Period: March 2013
Target: three broadcasting stations, a bank in South Korea.
Method: infecting with viruses, stealing and wiping information.
3
Attack on Sony Pictures
Period: November 2014
Target: Sony Pictures Entertainment (released the "Interview" movie, ridiculing the North Korean leader).
Method: infecting with malware, stealing and wiping data of the company's employees, correspondence, copies of unreleased films.
4
Attack on the Central Bank of Bangladesh
Period: 2016 year
Target: an attempt to steal $951million from the Central Bank of Bangladesh. Managed to steal only $81 million.
Method: a targeted attack on banks connected to SWIFT, the global financial messaging system.
Group-IB specialists have researched this group and now have evidence which identifies that North Korea is behind these attacks: We have detected and thoroughly analyzed multiple layers of C&C infrastructure used by Lazarus and have identified North Korean IP addresses from which the attacks were ultimately controlled. The following report is an outline of the criminal group's attack methodology for financial institutions, the malware employed and an overview of who they have planned to attack.
Through investigation of attacks on banks, we have proved that there is a strong connection between Lazarus and North Korea, while the analysis of IP addresses enables us to locate the attackers. We have detected and thoroughly analyzed the C&C infrastructure used by Lazarus. Our research shows how hackers gained access to the banks' information systems, what malware they used, and who their attempts were aimed at.
Dmitry Volkov
Head of Threat Intelligence Department, Сo-founder Group-IB
Attack Organizers: Involvement of North Korea
Due to analysis of Lazarus infrastructure, Group-IB specialists have detected that the attack was controlled from two IP addresses:

  • 210.52.109.22 belongs to an autonomous system China Netcom. However, some sources indicate that the set of IPs 210.52.109.0/24 is assigned to North Korea.

  • 175.45.178.222 refers to a North Korean Internet service provider. The Whois service indicates that this address is allocated to the Potonggang District, perhaps coincidentally, where Natinal Defence Commission is located — the highest military body in North Korea.
Through investigation of public information, we came across a TV report from a South Korean news agency Arirang News dated 2016.
N. Korea hacks into 160 S. Korean public and private entities
In February 2016, the report said, North Korean hackers attacked two corporations:

  1. SK Group is one of the largest conglomerates in South Korea.
  2. The plot referred to the attack of North Korean hackers in February 2016 on two corporations: SK Group is one of the largest conglomerates in South Korea. Hanjin Group is the head company of Korean Airlines, its division produces under license combat helicopters and fighter jets.

On the screen behind the host, Group-IB specialists noticed two IP addresses 175.45.178.19 and 175.45.178.97, which had been used to control Ghost RAT malware. Both IP addresses are in the same set of IP addresses as an IP address 175.45.178.222 that was discovered by Group-IB specialists.

The South Korea's National Police Agency reportedly identified that the cyber- attack had been performed from the unfinished North Korean Ryugyong hotel. Group-IB could not confirm this location attribution.
Masquerading as Russian hackers
Starting in 2016, the Lazarus group tried to mask their activity by pretending to be Russian hackers:

  • The Client_TrafficForwarder module includes debugging symbols and strings containing Russian words in descriptions of commands received by malware from the C&C server.

    It's worth noting that "Russian commands" received from the server are not typical for a Russian native speaker, and in the case of the «poluchit» (to receive) command the meaning of the word contradicts the action (to send) it is intended for.
Poluchit
Отправить на C&C сетевой адрес текущего
сервера
  • To protect their executables, hackers used Enigma Protector, a commercial product, which was created by a Russian software developer.

  • Exploits for Flash and SilverLight were borrowed from the sets of exploits created by Russian-speaking hackers.

These masquerade techniques did originally mislead some researchers who conducted malware operational analysis.
KEY FINDINGS
ATTACK PREPARATION
AND IMPLEMENTATION
To conduct attacks, the criminals developed toolsets to control C&C servers and infected machines, built a three-layer C&C infrastructure, and compromised dozens of large web resources. A detailed technical analysis of the infrastructure is in the chapter "Preparing and conducting an attack" in the full version of the report.
1
Infection of web resources
To infiltrate systems of their interest, Lazarus conducted watering-hole attacks leveraging compromised resources often visited by their potential victims, such as websites of financial regulators and government agencies in several countries.

Some of these resources are listed below:

  • knf.gov.pl — The Polish Financial Supervision Authority
  • cnvb.gob.mx — National Banking and Securities Commission, Mexico
  • brou.com.uy — Banco de la República Oriental del Uruguay, a state-owned bank in Uruguay
Through examination of a code on a web server with exploits, Group-
IB specialists detected a list of 255 IP address ranges. That said, hackers infected only those users who visited the website from a computer within the specified IP range. Based on this list, researchers have compiled a map of the countries that were of interest to the attackers, which is presented below.
Based on this list, researchers have compiled a map of the countries that were of interest to the attackers, which is presented below.
To gain access to websites of financial regulators and bank local networks, hackers used known vulnerabilities in JBoss and Liferay. They compiled an exploit for Silverlight CVE-2016-0034 (MS16-006) which earlier was included into RIG and Angler exploit kits, they also used Flash exploits from Neutrino Exploit Kit.
2
Establishment of C&C infrastructure:
Attackers created a 3-tier infrastructure that consisted of compromised servers, between which the hackers established SSL-encrypted channels. The network interaction with the attacked computer was carried out only from the Layer 1 server, which acted as a C&C server. In some cases, hackers placed the Layer 1 server inside the organization attacked in order to reduce the risk of detection. They gained access to these servers by brute forcing password for RDP.
3
Hackers used original set of tools
After trying to steal $ 1 billion from the Central Bank of Bangladesh in February 2016, hackers from Lazarus promptly changed their tactics and modified their unique set of tools.
Server_RAT
Used to manage windows-based server infrastructure
Server_Traffic
Forwarder
Forwards traffic from one external server to another
Backend_ Listener
Establishes connection with servers with installed Server_RAT, gets commands directly from threat actor
Admin_Tool
Admin tool to send commands to infected computers
SWIFT toolbox
Used to work with SWIFT, consists of Alliance software Hook Files and SWIFT transactions Information Harvester
Through in-depth analysis of the tools used by the attackers, Group-IB specialists identified the scheme of communications between nodes within the C&C infrastructure.
Tools to control infected PCs
In addition to multi-layer server structure, hackers developed a specialized toolset to perform remote control over infected PCs.

The group actively attempted to conceal their activity, complicating malware detection and analysis as much as possible. All tools consist of modules, which were delivered separately to target organizations only. To complicate malware investigation, criminals encrypted their tools.

Modular architecture of the victim's infection process provides both additional flexibility and anonymity throughout the cyber-attack. This scheme allows hackers to divide software development activity between teams, as well as to ensure the reuse of program code.
Recon
Recon is a backdoor that is initially installed on the target machine through successful execution of exploits. This module is used by hackers to perform initial reconnaissance to search for systems of interest.
Dropper
Dropper extracts and decrypts Loader, embeds it into the system and extracts Client_RAT.
Loader
Loader is used to decrypt the payload — Client_RAT or Client_ TrafficForwarder — and inject it into the legitimate process (for example, in lsass.exe).
Client_Traffic
Forwarder
This module was installed on one of the PCs in the internal network of the attacked organization. It proxies traffic from C&C server to PCs in the local network of the attacked organization.
Client_RAT
The Client_RAT program provides full control over the target system: it allows you to analyze the system, download and execute files, transfer data from the infected computer to the C&C server.
RECOMMENDATIONS
Taking into consideration strengthening economic sanctions against North Korea, as well as the geopolitical tension in the region, we expect new wave of Lazarus attacks against global financial institutions. With that said, we strongly recommend the banks to learn more about targeted attacks' tactics and techniques, increase corporate cybersecurity awareness, and cooperate with the companies providing relevant Threat Intelligence.
Dmitry Volkov
Head of Threat Intelligence Department Сo-founder Group-IB
  • 1
    Updates of software and operating systems
    To prevent infection through execution of exploits, it is enough to update your Microsoft and Adobe software.The Lazarus group uses known and patched exploits, rather than leveraging 0day vulnerabilities. That's why, even usual software updates did not allow attackers to infiltrate corporate networks. Unfortunately, some of the attacked banks did not comply with this requirement.
  • 2
    Network traffic analysis
    Even if the criminals have managed to obtain access to the corporate network, the attack can still be successfully prevented. After intrusion into the company's network hackers still need to find systems of their interest, and gain access to them. It takes days and even months sometimes, and this time should be used to detect the malicious activity.

    Attackers use malicious programs that transfer data to the C&C server - Layer 1. Communications between the infected computer and the C&C server can be identified through network traffic analysis. All communications are encrypted, that is why you should use solutions that can detect network anomalies based on threat intelligence data.
  • 3
    Application whitelisting
    Application whitelisting should be introduced into critical bank servers. This will prevent attackers from installing their remote control tools, monitoring financial transactions, and escalating privileges. It also helps to identify unauthorized attempts to run such malicious applications.
  • 4
    Checking indicators of compromise
    The "Indicators of compromise" section contains current and historical intelligence data. With these indicators, you can check if your organization was, or is, under attack by Lazarus. The group uses legitimate compromised servers, that's why these indicators can give false positives. You will find a list of indicators in the full version of the report.
  • 5
    Professional response
    And the most important thing: if you have detected trails of a targeted attack at any stage, you need to involve specialized companies for its analysis. Incorrect responses to the attack result in the attacker activity remaining partly undetected to enable criminals to achieve their goal — to steal money.
Full report
ABOUT GROUP-IB
Group-IB is one of the global leaders in preventing and investigating high-tech crimes and online fraud. Since 2003, the company has been active in the field of computer forensics and information security, protecting the largest international companies against financial losses and reputational risks.

International honors

The company is recognized by Gartner as a threat intelligence vendor with strong cyber security focus and the ability to provide leading insight to the Eastern European region and recommended by the Organization for Security and Co-operation in Europe (OSCE). In 2017 IDC Report named Group-IB the leader of the Russian Threat Intelligence Services Market. The company is a member of the World Economic Forum working group on cybersecurity.

Clients worldwide

Fortune 500 companies worldwide use Group-IB products and services. Group-IB clients include top-tier banks and financial institutions, FMCG brands and industrial corporations, oil and gas companies, software and hardware vendors, telecommunications service providers the US, Western Europe, the Middle East, Asia and Australia.

CyberCrimeCon2017

Annual conference organized by Group-IB aims to empower global threat intelligence exchange in one of the hottest spot on cybersecurity map. Be the first to discover key cybercrime trends and get a chance to interact with the global experts directly, both on and off stage. Learn more on 2017.group-ib.com