Lazarus Group: one mahjong game played with different sets of tiles

Presented at VB2018, Oct. 3, 2018, 4:30 p.m. (30 minutes).

The number of incidents attributed to Lazarus, a.k.a Hidden Cobra, has grown rapidly since its estimated establishment in 2009. The notorious group intensified its efforts in 2017 (e.g. the attacks on Polish and Mexican banks, the WannaCry outbreak, the spear-phishing campaign against US contractors) and kept up the pace at the turn of the year (the *Android*-ported payloads, the Bitcoin-oriented attacks, the Turkish campaign, and more). The attribution of the new cases was determined by observing similarities with previously resolved cases: specific chunks of code, unique data and network infrastructure. We summarize the crucial links that played a role in these major cases. The source code of the toolset appears to be modified with every attack. There are several static features that vary between the instances: dynamic WINAPI resolving and the obfuscation of procedure and library names, the form of self-delete batches, the list of domains leveraged for fake TLS communication, the formatting strings included in TCP backdoors, the use of commercial packers, etc. The variety is so huge, that it suggests that the Lazarus group may be split into multiple, independent, code-sharing cells. We support the idea by exploring the undocumented PE rich header metadata which proves there are various building environments producing the malicious binaries. There are several instances from the Lazarus toolset that have not been publicly reported. In this part we focus on lesser known findings: the very first iteration of WannaCry from 2016, in-the-wild experimenting with the malicious Java downloaders targeting multiple platforms, the use of a custom malware packer, the presence of strange artifacts like Chinese language or South Korean cultural references. Moreover, we will present previously unpublished details about the cyber sabotage attack against an online casino in Central America from late 2017, where we will also reveal the modus operandi of the cell that was behind the attack.

Presenters:

  • Peter Kálnai - ESET   as Peter Kalnai
    Peter Kálnai Peter Kálnai is a malware researcher at ESET. As a speaker, he has represented ESET at various international conferences including Virus Bulletin, AVAR and cyberCentral. He hates mostly malware like crypto-ransomware, because it displays hardly any inventiveness and has a very destructive impact on the victim. His golden rule for cyberspace is always to prioritise security measures over user comfort. In his free time he enjoys table football and travelling. @pkalnai
  • Michal Poslušný - ESET   as Michal Poslusny
    Michal Poslušný Michal Poslušný is a malware researcher working at ESET, where he is mainly responsible for reverse engineering of complex malware threats. He also works on developing various internal projects and tools and has actively participated in research presented at AVAR and Virus Bulletin conferences in the past. In his free time he likes to play online games, develop fun projects and spend time with his family.

Links:

Similar Presentations: