Lazarus Group, a North Korean nation-state sponsored threat actor serves as an umbrella for several subgroups and has extensive operations as early as 2009.
Lazarus is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions, as well as some of the world’s largest cyber heists. Based on widely publicized operations alone, the group has attempted to steal more than $1.1 billion. Instead of simply obtaining accesses and moving to transfer funds as quickly as possible, Lazarus is believed to operate more similarly to an espionage operation, carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems.
In a recent campaign, Lazarus if using Covid themed HWP documents targeting South Korea.
One of executables uploaded from SouthKorea to Virustotal repository a matched a yara rule for detecting Reflective Loader. This sample caught my attention since it was Covid themed HWP document and found to be used Lazarus group.
Intelligence Analysis:
With OSINT investigation, found that the executable is downloaded from sofa[.]rs through a HWP document 전라남도 코로나바이러스 대응 긴급 조회.hwp (translation: Urgent inquiry for Coronavirus in Jeollanam-do). Jeollanam-do is a province of South Korea. This may indicate the most probable target is South Korea.
The code pattern has genes from various known malware including Petya, Trickbot, Gandcrab also contains genes from admin tools like TeamViewer and Dameware.
Malware Analysis:
Notable features of executable:
- Reads Clipboard data
- Logs Keystrokes
- Contains killswitch to choose victims
- Highly obfuscated file
- Detects sandbox environment to evade detection
- Contains functionality for execution timing, often used to detect debuggers
- Contains long sleeps
- Contains functionality to check if a debugger is running (IsDebuggerPresent)
Embedded Domains:
- kingsvc[.]cc
- mbrainingevents[.]com
- afuocolento[.]it
Process flow:
Indicators of Compromise (IoCs):
Domains:
sofa[.]rs
kingsvc[.]cc
mbrainingevents[.]com
afuocolento[.]it
Hash:
8451be72b75a38516e7ba7972729909e
fe2d05365f059d48fd972c79afeee682
186aa05bfe4739274c3c258be4a5a160
IP:
185[.]62[.]56[.]131
Indicators of Attacks (IoAs):
- Execution: T1047: Windows Management Instrumentation
- Execution: T1106: Execution through API
- Persistence: T1138: Application Shimming
- Privilege Escalation: T1138: Application Shimming
- Defense Evasion: T1036: Masquerading
- Defense Evasion: T1045: Software Packing
- Defense Evasion: T1497: Virtualization/Sandbox Evasion
- Defense Evasion: T1140: Deobfuscate/Decode Files or Information
- Defense Evasion: T1027: Obfuscated Files or Information
- Credential Access: T1056: Input Capture
- Discovery: T1124: System Time Discovery
- Discovery: T1497: Virtualization/Sandbox Evasion
- Discovery: T1057: Process Discovery
- Discovery: T1087: Account Discovery
- Discovery: T1033: System Owner/User Discovery
- Discovery: T1063: Security Software Discovery
- Discovery: T1082: System Information Discovery
- Lateral Movement: T1105: Remote File Copy
- Collection: T1056: Input Capture
- Collection: T1115: Clipboard Data
- Exfiltration: T1022: Data Encrypted
- Command and control: T1032: Standard Cryptographic Protocol
Yara Rule:
import “pe”
rule ReflectiveLoader {
meta:
description = “Detects a unspecified hack tool, crack or malware using a reflective loader – no hard match – further investigation recommended”
reference = “Internal Research”
score = 60
strings:
$s1 = “ReflectiveLoader” fullword ascii
$s2 = “ReflectivLoader.dll” fullword ascii
$s3 = “?ReflectiveLoader@@” ascii
condition:
uint16(0) == 0x5a4d and (
1 of them or
pe.exports(“ReflectiveLoader”) or
pe.exports(“_ReflectiveLoader@4”) or
pe.exports(“?ReflectiveLoader@@YGKPAX@Z”)
)
}
Reference:
- VirusTotal
- Intezer Analyze™
Contact:
Dinesh's Perspective 