Lazarus Group: one mahjong game played with different sets of tiles

Wednesday 3 October 16:30 - 17:00, Red room

Peter Kalnai (ESET)
Michal Poslusny (ESET)

The number of incidents attributed to Lazarus, a.k.a Hidden Cobra, has grown rapidly since its estimated establishment in 2009. The notorious group intensified its efforts in 2017 (e.g. the attacks on Polish and Mexican banks, the WannaCry outbreak, the spear-phishing campaign against US contractors) and kept up the pace at the turn of the year (the Android-ported payloads, the Bitcoin-oriented attacks, the Turkish campaign, and more). The attribution of the new cases was determined by observing similarities with previously resolved cases: specific chunks of code, unique data and network infrastructure. We summarize the crucial links that played a role in these major cases.

The source code of the toolset appears to be modified with every attack. There are several static features that vary between the instances: dynamic WINAPI resolving and the obfuscation of procedure and library names, the form of self-delete batches, the list of domains leveraged for fake TLS communication, the formatting strings included in TCP backdoors, the use of commercial packers, etc. The variety is so huge, that it suggests that the Lazarus group may be split into multiple, independent, code-sharing cells. We support the idea by exploring the undocumented PE rich header metadata which proves there are various building environments producing the malicious binaries.

There are several instances from the Lazarus toolset that have not been publicly reported. In this part we focus on lesser known findings: the very first iteration of WannaCry from 2016, in-the-wild experimenting with the malicious Java downloaders targeting multiple platforms, the use of a custom malware packer, the presence of strange artifacts like Chinese language or South Korean cultural references. Moreover, we will present previously unpublished details about the cyber sabotage attack against an online casino in Central America from late 2017, where we will also reveal the modus operandi of the cell that was behind the attack.



Peter Kálnai

Peter Kálnai is a malware researcher at ESET. As a speaker, he has represented ESET at various international conferences including Virus Bulletin, AVAR and cyberCentral. He hates mostly malware like crypto-ransomware, because it displays hardly any inventiveness and has a very destructive impact on the victim. His golden rule for cyberspace is always to prioritise security measures over user comfort. In his free time he enjoys table football and travelling.




Michal Poslušný

Michal Poslušný is a malware researcher working at ESET, where he is mainly responsible for reverse engineering of complex malware threats. He also works on developing various internal projects and tools and has actively participated in research presented at AVAR and Virus Bulletin conferences in the past. In his free time he likes to play online games, develop fun projects and spend time with his family.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.