As the COVID-1 9 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that performers, such as the Lazarus group, are going after intelligence that could help these efforts by attacking entities related to COVID-1 9 research.
While tracking the Lazarus group’s continuous campaigns targeting various industries, we discovered that they recently ran after COVID-1 9-related entities. They attacked a pharmaceutical company at the end of September, and during our investigation we discovered that they had also assaulted a government ministry related to the COVID-1 9 response. Each assault utilized different tactics, techniques and the measures( TTPs ), but we acquired connections between the two cases and evidence associate those attacks to the notorious Lazarus group.
In this blog, we describe two separate incidents. The first one is an attack against a government health ministry: on October 27, 2020, two Windows servers were compromised at the ministry. We were unable to identify the infection vector, but the threat actor was able to install a sophisticated malware cluster on these servers. We already knew this malware as’ wAgent ‘. It’s main component merely works in memory and it fetches additional payloads from a remote server.
The second incident involves a pharmaceutical corporation. According to our telemetry, this corporation was breached on September 25, 2020. This time, the Lazarus group deployed the Bookcode malware, previously reported by ESET, in a furnish chain strike through a South Korean software company. We are also among able to observe post-exploitation commands run by Lazarus on this target.
Both strikes leveraged different malware clusters that do not overlap much. Nonetheless, we can confirm that both of them are connected to the Lazarus group, and we likewise acquired overlaps in the post-exploitation process.
wAgent malware cluster
The malware cluster has a complex infection strategy 😛 TAGEND
Infection scheme of the wAgent malware cluster
Unfortunately, we were unable to obtain the starter module used in this attack. The module seems to have a trivial role: executing wAgent with specific parameters. One of the wAgent samples we accumulated has fake metadata in order to make it look like the legitimate compression utility XZ Utils.
According to our telemetry, this malware was directly executed on the victim machine from the command line shell by calling the Thumbs export function with the parameter 😛 TAGENDc :\ windows \ system3 2 \ rundll3 2. exe C :\ Programdata \ Oracle \ javac.dat, Thumbs 8IZ-VU7-109-S2MY
The 16 -byte string parameter is used as an AES key to decrypt an embedded warhead- a Windows DLL. When the embedded payload is loaded in remembrance, it decrypts configuration information using the committed decryption key. The configuration contains various datum including C2 server address, as well as a file track employed later on. Although the configuration specifies two C2 servers, it contains the same C2 server twice. Interestingly, the configuration has several URL paths separated with an ‘@’ symbol. The malware attempts to connect to each URL track randomly.
C2 address in the configuration
When the malware is executed for the first time, it generates identifiers to distinguish each victim use the hash of a random value. It likewise makes a 16 -byte random value and overrules its order. Next, the malware concatenates this random 16 -byte value and the hash using ‘@’ as a delimiter. i.e .: 82 UKx3vnjQ 791 PL2 @29312663988969
POST parameter names( shown below) are decrypted at runtime and picked randomly at each C2 connection. We’ve previously determined and to be submitted to our Threat Intelligence Report clients that a very similar technique was used when the Lazarus group attacked cryptocurrency business with an evolved downloader malware. It is worth noting that Tistory is a South Korean blog posting service, which means the malware author is familiar with the The koreans internet environment 😛 TAGEND
plugin course property tistory tag vacon slip parent manual topics product notice portal articles category doc enter isbn tb idx tab maincode degree bbs method thesis content blogdata tname
The malware encodes the produced identifier as base6 4 and Posts it to the C2. Finally, the agent fetches the next payload from the C2 server and loadings it in recollection directly. Regrettably, we couldn’t obtain a copy of it, but according to our telemetry, the fetched warhead is a Windows DLL containing backdoor functionalities. Applying this in-memory backdoor, the malware operator executed numerous shell commands to gather victim info 😛 TAGENDcmd.exe/ c ping -n 1 -a 192.[ redacted] cmd.exe/ c ping -n 1 -a 192.[ redacted] cmd.exe/ c dir \\ 192.[ redacted ]\ c$ cmd.exe/ c query customer cmd.exe/ c cyberspace user[ redacted]/ domain cmd.exe/ c whoami
Persistent wAgent deployed
Using the wAgent backdoor, the operator installed an additional wAgent payload that has a persistence mechanism. After fetch this DLL, an export called SagePlug was executed with the following command line parameters 😛 TAGENDrundll3 2. exe c :\ programdata \ oracle \ javac.io, SagePlug 4GO-R19-0TQ-HL2A c :\ programdata \ oracle \~ TMP7 39. TMP
4GO-R19-0TQ-HL2A is used as a key and the file track indicates where debugging messages are saved. This wAgent installer runs similarly to the wAgent loader malware described above. It is responsible for loading an embedded warhead after decrypting it with the 16 -byte key from the command line. In the decrypted warhead, the malware makes a file path to proceed with the infection 😛 TAGEND
This file is disguised as a legitimate tool named SageThumbs Shell Extension. This tool presents image files immediately in Windows Explorer. However, inside it contains an additional malicious routine.
For logging and debugging purposes, the malware storages knowledge in the file provided as the second argument( c :\ programdata \ oracle \~ TMP7 39. TMP in such cases ). This log file contains timestamps and information about the infection process. We to be recognised that the malware operators were checking this file manually use Windows commands. These debugging messages have the same structure as previous malware used in attacks against cryptocurrency business relating to the Lazarus group. More details are provided in the Attribution section.
After that, the malware decrypts its embedded configuration. This configuration data has a similar arrangement as the aforementioned wAgent malware. It also contains C2 addresses in the same format 😛 TAGEND
hxxps :// iski.silogica [.] net/ events/ serial.jsp @WFRForms. jsp @import. jsp @view. jsp @cookie. jsp hxxp://sistema.celllab[.]com.br/webrun/Navbaremail@example.com@legacy.jsp@chooseIcon.jsp@customZoom.jsp hxxp :// www.bytecortex.com [.] br/ eletronicos/ digital.jsp @exit. jsp @helpform. jsp @masks. jsp @Functions. jsp hxxps://sac.najatelecom.com[.]br/sac/Dadosfirstname.lastname@example.org@email@example.com@default.jsp
It also takes advantage of the Custom Security Support Provider by registering the made file path to the end of the existing registry value. Thanks to this registry key, this DLL will be loaded by lsass.exe during the next startup.
Finally, the starter module starts the[ random 2 characters] svc.drv file in a remote process. It searches for the first svchost.exe process and performs DLL injection. The injected[ random 2 characters] svc.drv malware contains a malicious routine for decrypting and loading its embedded warhead. The final warhead is wAgent, which is responsible for fetching additional warheads from the C2, perhaps a amply featured backdoor, and loading it in the memory.
Bookcode malware cluster
The pharmaceutical corporation targeted by Lazarus group’s Bookcode malware is developing a COVID-1 9 inoculation and is authorized to produce and distribute COVID-1 9 vaccines. We previously watched Lazarus attack a software corporation in South Korea with Bookcode malware, perhaps targeting the source code or supply chain of that company. We have been previously witnessed the Lazarus group carry out spear phishing or strategic website compromise in order to deliver Bookcode malware in the past. However, we weren’t able to identify the exact initial infection vector for this incident. The whole infection procedure confirmed by our telemetry is very similar to the one described in ESET’s latest publication on the subject.
Bookcode infection procedure
Although we didn’t find the piece of malware tasked with deploying the loader and its encrypted Bookcode payload, we were able to identify a loader sample. This file is responsible for loading an encrypted payload named gmslogmgr.dat located in the system folder. After decrypting the payload, the loader detects the Service Host Process( svchost.exe) with winmgmt, ProfSvc or Appinfo parameters and injects the warhead into it. Unfortunately, we couldn’t acquire the encrypted warhead file, but we were able to reconstruct the malware actions on the victim machine and recognize it as the Bookcode malware we reported to our Threat Intelligence Report customers.
Upon execution, the Bookcode malware reads a configuration file. While previous Bookcode samples utilized the file perf9 1nc. inf as a configuration file, this version reads its configuration from a file called C_2 8705. NLS. This Bookcode sample has almost identical functionality as the malware described in the comprehensive report recently published by Korea Internet& Security Agency( KISA ). As described on page 57 of that report, once the malware is started it sends information about the victim to the attacker’s infrastructure. After communicating with the C2 server, the malware renders standard backdoor functionalities.
Extracting infected host information, including password hashes, from the registry sam dump. Utilize Windows commands in order to check network connectivity. Apply the WakeMeOnLan tool to scan hosts in the same network.
After installing Bookcode on September 25, 2020, the malware operator started meeting system and network information from the victim. The malware operator also accumulated a registry sam dump containing password hashes 😛 TAGEND
exe/ c” reg.exe save hklm \ sam% temp %\~ reg_sam.save> “% temp %\ BD54EA8118AF46. TMP ~” 2 >& 1 ” exe/ c” reg.exe save hklm \ system% temp %\~ reg_system.save> “% temp %\ 405 A758FA9C3DD. TMP ~” 2 >& 1 ”
In the lateral movement phase, the malware operator utilized well-known methodologies. After acquiring report info, they connected to another host with the “net” command and executed a copied payload with the “wmic” command.
exe/ c” netstat -aon | find “ESTA”>% temp %\~ 431 F.tmp exe/ c” net employ \\ 172.[ redacted] “[ redacted ]”/ u:[ redacted]>% temp %\~ D94. tmp” 2 >& 1 ” wmic/ node: 172.[ redacted]/ consumer:[ redacted]/ password :”[ redacted ]” process call create “% temp %\ engtask.exe”>% temp %\~ 9DC9. tmp” 2 >& 1 ”
Infrastructure of Bookcode
As a result of closely working with the victim to help remediate this attack, we discovered an additional configuration file. It contains four C2 servers, all of which are compromised web servers are contained in South Korea.
hxxps :// www.kne.co [.] kr/ upload/ Customer/ BBS.asp hxxp://www.k-kiosk[.]com/bbs/notice_write.asp hxxps :// www.gongim [.] com/ board/ ajax_Write.asp hxxp://www.cometnet[.]biz/framework/common/common.asp
Attacker files is available on a compromised website
We detected several log files and a script from the compromised server, which is a “first-stage” C2 server. It receives connections from the backdoor, but served only as a proxy to a “second-stage” server where the operators actually store orders.
~ F05990302ERA. jpg Second-stage C2 server address 😛 TAGEND
hxxps :// www.locknlockmall [.] com/ common/ popup_left.asp
Customer_Session.asp is a first-stage C2 script responsible for delivering commands from the next-stage C2 server and command executing results from the implant. In order to deliver proper commands to each victim, the bbs_code parameter from the implants is used as an identifier. The script applies this identifier to allocate commands to the correct victims. Here is how the process of sending an order for a particular victim operates 😛 TAGEND
The malware operator sets the corresponding flag ([ id] _2 08) of a specific implant and saves the command to the variable ([ id] _2 10 ). The implant checks the corresponding flag ([ id] _2 08) and retrieves the command from the variable ([ id] _2 10) if it is set. After executing the command, the implant sends the result to the C2 server and determines the matching flag. The malware operator checks the flag and retrieves the research results if the flag is set.
Logic of the C2 script
Besides implant control features, the C2 script has additional capabilities such as updating the next-stage C2 server address, mailing the identifier of the implant to the next-stage server or removing a log file.
table_nm value Function name Description table_qna qnaview Set[ id] _2 09 variable to TRUE and save the “content” parameter value to[ id] _2 11.
table_recruit recuritview If[ id] _2 09 is SET, send content of[ id] _2 11 and reset it, and set[ ID] _2 09 to FALSE.
table_notice notcieview Set[ id] _2 08 and save the “content” parameter value to[ id] _2 10.
table_bVoice voiceview If[ id] _2 08 is SET, mail contents of[ id] _2 10 and reset it, and defined[ id] _2 08 to FALSE.
table_bProduct productview Update the~ F05990302ERA. jpg file with the URL passed as the “target_url” parameter.
table_community communityview Save the identifier of the implant to the log file. Read the second-stage URL from~ F05990302ERA. jpg and send the current server URL and identifier to the next hop server using the following terms 😛 TAGEND
bbs_type= qnaboard& table_id =[ base6 4ed identifier]& accept_identity =[ base6 4 encoded current server IP ]& redirect_info =[ base6 4ed current server URL]
table_free freeview Read _ICEBIRD0 07. dat and mail its contents, and delete it.
We assess with high confidence that the program activities analyzed in this post is attributable to the Lazarus group. In our previous research, we already attributed the malware clusters is set out in both incidents described here to the Lazarus group. First of all, we can be seen that the wAgent malware used against the health ministry has the same infection scheme as the malware that the Lazarus group used previously in strikes on cryptocurrency businesses.
Both instances use a similar malware naming scheme, producing two characters randomly and appending “svc” to it to generate the track where the payload is plummeted. Both malicious programs use a Security Support Provider as a persistence mechanism. Both malicious programs have almost identical debugging messages.
Debugging log from ministry of health case Debugging log of cryptocurrency business case
15:18: 20 Extracted Dll:[ random 2bytes] svc.drv
15: 59:32 Reg Config Success!
16: 08:45 Register Svc Success!
16: 24:53 Injection Success, Process ID: 544 Extracted Dll:[ random 2bytes] svc.dll
Extracted Injecter:[ random 2bytes] proc.exe
Reg Config Success!
Register Svc Success!
Start Injecter Success!
Regarding the pharmaceutical company incident, we previously concluded that Bookcode is exclusively used by the Lazarus group. According to our Kaspersky Threat Attribution Engine( KTAE ), one of the Bookcode malware samples( MD5 0e44fcafab066abe99fe64ec6c46c84e) contains lots of code overlaps with old Manuscrypt variants.
Kaspersky Threat Attribution Engine results for Bookcode
Moreover, the same strategy was used in the post-exploitation phase, for example, the usage of ADFind in the attack against the health ministry to collect further information on the victim’s environment. The same tool was deployed during the course of its pharmaceutical company case in order to extract the listing of both workers and computers from the Active Directory. Although ADfind is a common tool for the post-exploitation process, it is an additional data point that indicates that the attackers use shared tools and methodologies.
These two incidents disclose the Lazarus group’s interest in intelligence related to COVID-1 9. While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well. We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyberattacks.
Indicator of compromise
dc3c 2663 bd9a991e0fbec791c20cbf92% programdata %\ prophecy \ javac.dat 26545f5abb70fc32ac62fdab6d0ea5b2% programdata %\ oracle \ javac.dat 9c6ba9678ff986bcf858de18a3114ef3% programdata %\ grouppolicy \ Policy.DAT
4814b06d056950749d07be2c799e8dc2% programdata %\ prophecy \ javac.io,% appdata %\ ntuser.dat
wAgent compromised C2 servers
http :// client.livesistemas [.] com/ Live/ posto/ system.jsp @public. jsp @jenkins. jsp @tomas. jsp @story. jsp hxxps://iski.silogica[.]net/events/serial.jsp@WFRForms.firstname.lastname@example.org@email@example.com hxxp :// sistema.celllab [.] com.br/ webrun/ Navbar/ auth.jsp @cache. jsp @legacy. jsp @chooseIcon. jsp @customZoom. jsp hxxp://www.bytecortex.com[.]firstname.lastname@example.org@email@example.com@Functions.jsp hxxps :// sac.najatelecom.com [.] br/ sac/ Dados/ ntlm.jsp @loading. jsp @access. jsp @local. jsp @default. jsp
wAgent file path
% SystemRoot %\ system3 2 \[ random 2 characters] svc.drv
wAgent registry path
5 983 db89609d0d94c3bcc88c6342b354% SystemRoot %\ system3 2 \ scaccessservice.exe, rasprocservice.exe
Bookcode file path
Bookcode compromised C2 servers
hxxps :// www.kne.co [.] kr/ upload/ Customer/ BBS.asp hxxp://www.k-kiosk[.]com/bbs/notice_write.asp hxxps :// www.gongim [.] com/ committee/ ajax_Write.asp hxxp://www.cometnet[.]biz/framework/common/common.asp hxxps :// www.locknlockmall [.] com/ common/ popup_left.asp
MITRE ATT& CK Mapping.
T1 569.002 Command and Scripting Interpreter: Windows Command Shell
System Service: Service Execution
T1 543.003 Boot or Logon Autostart Execution: Security Support Provider
Privilege Escalation T1547.005
T1 055.001 Boot or Logon Autostart Execution: Security Support Provider
Process Injection: Dynamic-link Library Injection
Defense Evasion T1070.006
T1 027.001 Indicator Removal on Host: Timestomp
Process Injection: Dynamic-link Library Injection
Deobfuscate/ Decode Files or Information
Obfuscated Files or Information: Binary Padding
Credential Access T1003.002 OS Credential Dumping: Security Account Manager
T1 049 System Information Discovery
System Network Connections Discovery
Lateral Movement T1021.002 SMB/ Windows Admin Shares
Command and Control T1071.001
T1 132.001 Application Layer Protocol: Web Protocols
Data Encoding: Standard Encoding
Exfiltration T1041 Exfiltration Over C2 Channel