Unveiling the Lazarus Group's Cyber Arsenal: A Deep Dive into Malware...

The Lazarus Group, a North Korea-attributed Advanced Persistent Threat (APT), has long been a subject of interest for cybersecurity professionals. Their sophisticated cyber operations, including espionage and financial theft, have made them a formidable adversary. In this article, we delve into the world of malware analysis, focusing on the tools and techniques used by the Lazarus Group. We’ll explore the MITRE ATT&CK framework, analyze malware artifacts, and understand the tradecraft of this elusive group.

Understanding the Lazarus Group

The Lazarus Group, also known as Hidden Cobra or APT37, is a state-sponsored cyber threat actor. They have been involved in a variety of malicious activities, including cyber espionage, financial theft, and disruptive attacks. The group is known for its use of custom malware, phishing campaigns, and job-themed lures, often targeting defense, engineering, and technology sectors.

Objective of This Exercise

In this exercise, we aim to analyze malware used by the Lazarus Group and map its techniques to the MITRE ATT&CK framework. This will help us better understand their tradecraft and the tools they use to conduct their operations.

Task 1: Identifying Similarities with Known Malware

Understanding the MITRE ATT&CK Framework

The MITRE ATT&CK framework is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Analyzing DRATzarus

DRATzarus is a malware associated with the Lazarus Group. According to the MITRE ATT&CK framework, DRATzarus shares similarities with other known malware, including PlugX and Poison Ivy. These similarities can help us understand the evolution of the Lazarus Group’s malware and their techniques.

Task 2: Detecting Debuggers

Understanding Debuggers

Debuggers are tools used by malware analysts, reverse engineers, and sandbox environments to dissect and understand malware. Malware authors would not want their malwares to be dissected by defenders or analysts, so they often include mechanisms to detect and evade debuggers.

Identifying the Windows API Function

The Windows API function used by DRATzarus to detect the presence of a debugger is IsDebuggerPresent. This function checks if the current process is being debugged by a user-mode debugger. If a debugger is detected, the malware can take appropriate actions, such as terminating itself or altering its behavior.

Task 3: Analyzing Torisma

Understanding Torisma

Torisma is another piece of malware used by the Lazarus Group. It is a backdoor malware used for espionage and persistence, enabling attackers to remotely control infected systems, execute commands, and download additional payloads.

Encryption Methods

Torisma uses XOR and VEST-32 encryption methods to encrypt its C2 (Command and Control) communications. XOR is a simple encryption method that applies a bitwise XOR operation to each bit of the plaintext, using a secret key. VEST-32 is a more complex encryption method, designed to be resistant to cryptanalysis.

Task 4: Identifying Packing Methods

Understanding Packing

Malware uses compression or packing to hide its real code and evade detection by security tools. It also slows down analysis by forcing analysts to unpack the payload before understanding its behavior.

Identifying the Packing Method

The packing method used to obfuscate Torisma is Iz4 compression. Iz4 is a compression algorithm that reduces the size of the malware, making it harder to analyze and detect.

Task 5: Analyzing the ISO File

Understanding the ISO File

The exercise provides a DANGER.zip file, which contains an ISO file named BAE_HPC_SE.iso. The ISO file is a disk image file that can be mounted and accessed like a physical disk.

Extracting Files from the ISO

To extract files from the ISO, we can use the isoinfo command to get information from the ISO, and the 7z command to extract the files. The extracted files include BAE_HPC_SE.pdf and InternalViewer.exe. The InternalViewer.exe file is a PE32+ executable, which is a portable executable file in Windows systems.

Task 6: Identifying the Original Name of the Executable

Understanding the Executable

The executable found in the previous task was renamed. To identify its original name, we can use the exiftool command to get information about the file.

Identifying the Original Name

The original name of the file is SumatraPDF.exe. This information can help us understand the source of the malware and its intended purpose.

Task 7: Identifying the First Seen Date

Understanding VirusTotal

VirusTotal is a free online service that analyzes files and URLs for malware. It provides a comprehensive report on the file, including its behavior, detection by antivirus engines, and other relevant information.

Generating the Hash

To get information about the InternalViewer.exe file from VirusTotal, we can generate its hash using the sha256sum command. The hash can then be used to search for the file on VirusTotal.

Identifying the First Seen Date

The first seen date of the InternalViewer.exe file on VirusTotal is 2020-08-13 08:44:50 UTC. This information can help us understand when the malware was first detected and its potential origin.

Task 8: Identifying the Packer

Understanding Packers

Packers are tools used to compress and obfuscate executable files. They are often used by malware authors to hide their code and evade detection by security tools.

Identifying the Packer

The packer used to pack the executable from Question 6 is UPX, which stands for Ultimate Packer for eXecutables. UPX is a popular packer used by malware authors to compress and obfuscate their code.

Task 9: Identifying the URL in the Macro

Understanding Macros

Macros are a set of instructions or a program that is used to automate tasks. They are often used in documents, such as Microsoft Word, to perform repetitive tasks and save time.

Analyzing the Macro

The document Salary_Lockheed_Martin contains a macro that includes a URL. To identify the URL, we can use the exiftool command to get information about the document and its macros.

Conclusion

In this article, we have delved into the world of malware analysis, focusing on the tools and techniques used by the Lazarus Group. We have explored the MITRE ATT&CK framework, analyzed malware artifacts, and understood the tradecraft of this elusive group. By understanding the techniques used by the Lazarus Group, we can better protect ourselves and our systems from their malicious activities.

FAQ

What is the Lazarus Group?

The Lazarus Group is a North Korea-attributed Advanced Persistent Threat (APT) that conducts cyber operations in support of state objectives, including cyber espionage, financial theft, and disruptive attacks.

What is the MITRE ATT&CK framework?

What is a debugger?

A debugger is a tool used by malware analysts, reverse engineers, and sandbox environments to dissect and understand malware. Malware authors would not want their malwares to be dissected by defenders or analysts, so they often include mechanisms to detect and evade debuggers.

What is a packer?

A packer is a tool used to compress and obfuscate executable files. They are often used by malware authors to hide their code and evade detection by security tools.