Lazarus Group is a threat group that has been attributed to the North Korean government.(Citation: US-CERT HIDDEN COBRA June 2017) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster) In late 2017, Lazarus Group used KillDisk, a disk-wiping tool, in an attack against an online casino based in Central America. (Citation: Lazarus KillDisk)
North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017) APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| Linux, macOS, Windows | impact | System Shutdown/Reboot | Lazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems. | Windows event logs, Process command-line parameters, Process monitoring |
| Linux, macOS, Windows, AWS, GCP, Azure | impact | Resource Hijacking | Lazarus Group has subset groups like Bluenoroff who have used cryptocurrency mining software on victim machines. | Azure activity logs, Stackdriver logs, AWS CloudTrail logs, Process use of network, Process monitoring, Network protocol analysis, Network device logs |
| Linux, macOS, Windows | impact | Data Destruction | Lazarus Group has used a custom secure delete function to overwrite file contents with data from heap memory. | File monitoring, Process command-line parameters, Process monitoring |
| Linux, macOS, Windows | impact | Disk Content Wipe | Lazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory. | Kernel drivers, Process monitoring, Process command-line parameters |
| Windows, macOS, Linux | impact | Disk Structure Wipe | Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine and has possessed MBR wiper malware since at least 2009. | Kernel drivers, MBR |
| Windows | impact | Service Stop | Lazarus Group has stopped the MSExchangeIS service to render Exchange contents inaccessible to users. | Process command-line parameters, Process monitoring, Windows Registry, API monitoring |
| Windows, Linux, macOS, SaaS | initial-access | Drive-by Compromise | Lazarus Group delivered RATANKBA to victims via a compromised legitimate website. | Packet capture, Network device logs, Process use of network, Web proxy, Network intrusion detection system, SSL/TLS inspection |
| Windows | defense-evasion, execution | Compiled HTML File | Lazarus Group has used CHM files to move concealed payloads. | File monitoring, Process monitoring, Process command-line parameters |
| Windows, Linux, macOS | credential-access | Credential Dumping | Lazarus Group leveraged Mimikatz to extract Windows Credentials of currently logged-in users and steals passwords stored in browsers. | API monitoring, Process monitoring, PowerShell logs, Process command-line parameters |
| Linux, Windows, macOS | execution | User Execution | Lazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email. | Anti-virus, Process command-line parameters, Process monitoring |
| Linux, macOS, Windows | defense-evasion, execution | Scripting | A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system. | Process monitoring, File monitoring, Process command-line parameters |
| Windows, macOS, Linux | initial-access | Spearphishing Attachment | Lazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents. | File monitoring, Packet capture, Network intrusion detection system, Detonation chamber, Email gateway, Mail server |
| Windows | discovery | System Time Discovery | A Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server. | Process monitoring, Process command-line parameters, API monitoring |
| Linux, Windows, macOS | execution | Exploitation for Client Execution | Lazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution. | Anti-virus, System calls, Process monitoring |
| Linux, macOS, Windows | defense-evasion, persistence | Hidden Files and Directories | A Lazarus Group VBA Macro sets its file attributes to System and Hidden. | File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | command-and-control | Data Encoding | A Lazarus Group malware sample encodes data with base64. | Packet capture, Process use of network, Process monitoring, Network protocol analysis |
| Linux, macOS, Windows | defense-evasion, privilege-escalation | Process Injection | A Lazarus Group malware sample performs reflective DLL injection. | API monitoring, Windows Registry, File monitoring, DLL monitoring, Process monitoring, Named Pipes |
| Linux, macOS, Windows | command-and-control | Standard Application Layer Protocol | A Lazarus Group malware sample conducts C2 over HTTP. | Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring |
| Windows | persistence | Shortcut Modification | A Lazarus Group malware sample adds persistence on the system by creating a shortcut in the user’s Startup folder. | File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | command-and-control, defense-evasion | Connection Proxy | Lazarus Group uses multiple proxies to obfuscate network traffic from victims. | Process use of network, Process monitoring, Netflow/Enclave netflow, Packet capture |
| Windows | defense-evasion, privilege-escalation | Access Token Manipulation | Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserA under that user's context. |
API monitoring, Access tokens, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | command-and-control | Uncommonly Used Port | Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes uncommonly used ports such as 995, 1816, 465, 1521, 3306, and many others. | Netflow/Enclave netflow, Process use of network, Process monitoring |
| Linux, Windows | persistence | Bootkit | Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down. | API monitoring, MBR, VBR |
| Windows | lateral-movement | Remote Desktop Protocol | Lazarus Group malware SierraCharlie uses RDP for propagation. | Authentication logs, Netflow/Enclave netflow, Process monitoring |
| Linux, macOS, Windows | exfiltration | Exfiltration Over Alternative Protocol | Lazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims. | User interface, Process monitoring, Process use of network, Packet capture, Netflow/Enclave netflow, Network protocol analysis |
| Linux, macOS, Windows | command-and-control | Commonly Used Port | Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes commonly used ports such as 443, 53, 80, 25, and 8080. | Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring |
| Linux, macOS, Windows, GCP, AWS, Azure | collection | Data from Local System | Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Lazarus Group malware RomeoDelta copies specified directories from the victim's machine, then archives and encrypts the directories before uploading to its C2 server. | File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | discovery | System Owner/User Discovery | Various Lazarus Group malware enumerates logged-on users. | File monitoring, Process monitoring, Process command-line parameters |
| Windows | execution | Windows Management Instrumentation | Lazarus Group malware SierraAlfa uses the Windows Management Instrumentation Command-line application wmic to start itself on a target system during lateral movement. | Authentication logs, Netflow/Enclave netflow, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows, Office 365, Azure AD, SaaS | credential-access | Brute Force | Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords. | Office 365 account logs, Authentication logs |
| Linux, Windows, macOS | command-and-control | Fallback Channels | Lazarus Group malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again. | Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network |
| Windows | persistence | Registry Run Keys / Startup Folder | Lazarus Group malware attempts to maintain persistence by saving itself in the Start menu folder or by adding a Registry Run key. | Windows Registry, File monitoring |
| Linux, macOS, Windows, AWS, GCP, Azure | collection | Data Staged | Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server. | File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | collection, credential-access | Input Capture | Lazarus Group malware KiloAlfa contains keylogging functionality. | Windows Registry, Kernel drivers, Process monitoring, API monitoring |
| Linux, macOS, Windows | exfiltration | Exfiltration Over Command and Control Channel | Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Another Lazarus Group malware sample also performs exfiltration over the C2 channel. | User interface, Process monitoring |
| Linux, macOS, Windows | exfiltration | Data Encrypted | Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server. Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server. A Lazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration. | File monitoring, Process monitoring, Process command-line parameters, Binary file metadata |
| Windows | lateral-movement | Windows Admin Shares | Lazarus Group malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement. |
Process use of network, Authentication logs, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | command-and-control | Multiband Communication | Some Lazarus Group malware uses multiple channels for C2, such as RomeoWhiskey-Two, which consists of a RAT channel that parses data in datagram form and a Proxy channel that forms virtual point-to-point sessions. | Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring |
| Windows | discovery | Query Registry | Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt. |
Windows Registry, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | discovery | Process Discovery | Several Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by Lazarus Group also gathers process times. | Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | defense-evasion | Disabling Security Tools | Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services. | API monitoring, File monitoring, Services, Windows Registry, Process command-line parameters, Anti-virus |
| Linux, macOS, Windows | command-and-control | Custom Cryptographic Protocol | Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, evading SSL man-in-the-middle decryption attacks. | Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring |
| macOS, Windows | discovery | Application Window Discovery | Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground. | API monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | discovery | System Network Configuration Discovery | Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available. | Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | command-and-control, lateral-movement | Remote File Copy | Several Lazarus Group malware families are capable of downloading and executing binaries from its C2 server. | File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring |
| Linux, Windows, macOS | exfiltration | Data Compressed | Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server. Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server. | Binary file metadata, File monitoring, Process command-line parameters, Process monitoring |
| Windows, Office 365, Azure, GCP, Azure AD, AWS | credential-access, persistence | Account Manipulation | Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account. | Authentication logs, API monitoring, Windows event logs, Packet capture |
| Linux, macOS, Windows | execution | Command-Line Interface | Lazarus Group malware uses cmd.exe to execute commands on victims. | Process monitoring, Process command-line parameters |
| Linux, Windows, macOS | defense-evasion | Timestomp | Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files. | File monitoring, Process monitoring, Process command-line parameters |
| Windows | persistence, privilege-escalation | New Service | Several Lazarus Group malware families install themselves as new services on victims. | Windows Registry, Process monitoring, Process command-line parameters, Windows event logs |
| Linux, macOS, Windows | defense-evasion | File Deletion | Lazarus Group malware deletes files in various ways, including "suicide scripts" to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim. | File monitoring, Process command-line parameters, Binary file metadata |
| Linux, macOS, Windows | discovery | File and Directory Discovery | Several Lazarus Group malware samples use a common function to identify target files by their extension. Lazarus Group malware families can also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives. | File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | command-and-control | Standard Cryptographic Protocol | Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads. | Packet capture, Netflow/Enclave netflow, Malware reverse engineering, Process use of network, Process monitoring, SSL/TLS inspection |
| Linux, macOS, Windows, AWS, GCP, Azure | discovery | System Information Discovery | Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server. | Azure activity logs, Stackdriver logs, AWS CloudTrail logs, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | defense-evasion | Obfuscated Files or Information | Lazarus Group malware uses multiple types of encryption and encoding in its malware files, including AES, Caracachs, RC4, basic XOR with constant 0xA7, and other techniques. | Network protocol analysis, Process use of network, File monitoring, Malware reverse engineering, Binary file metadata, Process command-line parameters, Environment variable, Process monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection |