APT Lazarus group

Lazarus group - analysis links

• Lazarus under the hood - Kaspersky report - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
• Virus Bulletin paper - https://www.virusbulletin.com/virusbulletin/2019/06/vb2018-paper-lazarus-group-mahjong-game-played-different-sets-tiles/
• Malwarebytes blog - https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/
• Lazarus watering hole attack - https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html
• Lazarus arisen - https://www.group-ib.com/blog/lazarus

PDF reports:

• Lazarus threat intelligence report - https://www.wiselaw.com.au/assets/files/Jonathan_Lim_Lazarus%20Intel%20Report.pdf
• North Korea's cyber operation and war stratergies - https://ccdcoe.org/uploads/2019/06/Art_08_The-All-Purpose-Sword.pdf
• APT Cyber Criminal collections - https://github.com/eric-erki/APT_CyberCriminal_Campagin_Collections
• Evolution of north korean cyber threats - http://en.asaninst.org/wp-content/themes/twentythirteen/action/dl.php?id=46453
• Lazarus group malicious activity report - https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf

Analysis

• Bypassing network restriction using RDP tunneling - https://www.fireeye.fr/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
• Detecting inbound RDP activity - https://www.netfort.com/blog/detecting-inbound-rdp-activity-from-external-clients/
• Event logs for RDP brute force attacks - https://duo.com/decipher/microsoft-mines-events-logs-for-rdp-brute-force-attacks
• Malicious svchost process identification - https://www.raymond.cc/blog/identify-loaded-svchostexe-in-windows-task-list/
• Detecting rogue svchost process - https://logrhythm.com/blog/detecting-rogue-svchost-processes/

Mitigation strategies

• Securing RDP, some best practices - https://security.berkeley.edu/education-awareness/best-practices-how-tos/system-application-security/securing-remote-desktop-rdp
• How to secure remote desktop
  • https://www.mvps.net/docs/how-to-secure-remote-desktop-rdp/
  • https://www.liquidweb.com/kb/improving-security-for-your-remote-desktop-connection/
  • https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rdp-security-explained/

Analysis notes

Host artifacts

• Amcache
• Shimcache
• SRUDB
• Jumplist
• userassist
• sysmon/windows-evt logs
• Prefetch
• Volume shadow copy
• registry analysis using regripper
• Recycle bin
• Analysis of Temporary internet files (DLL, EXE,powershell script files)- C:\Users<user name>\AppData\Local\Microsoft\Windows\Temporary Internet Files

Network artifacts

• dns logs
• firewall logs
• router logs
• UTM logs

Symantec AV log

• anti-virus logs - C:\ProgramData\Symantec\Symantec Endpoint Protection%SEP Version%\Data\Quarantine\
• SEP logs - C:\ProgramData\Symantec\Symantec Endpoint Protection%SEP Version%\Data\AV\Logs\

Note:

• ".VBN" file can be decompress with -- http://hexacorn.com/d/DeXRAY.pl
• Interpreting endpoint AV logs - https://knowledge.broadcom.com/external/article/151245/interpreting-endpoint-protection-av-log.html