Lazarus Group: one mahjong game played with different sets of tiles

Wednesday 3 October 16:30 - 17:00, Red room

Peter Kalnai (ESET)
Michal Poslusny (ESET)



The number of incidents attributed to Lazarus, a.k.a Hidden Cobra, has grown rapidly since its estimated establishment in 2009. The notorious group intensified its efforts in 2017 (e.g. the attacks on Polish and Mexican banks, the WannaCry outbreak, the spear-phishing campaign against US contractors) and kept up the pace at the turn of the year (the Android-ported payloads, the Bitcoin-oriented attacks, the Turkish campaign, and more). The attribution of the new cases was determined by observing similarities with previously resolved cases: specific chunks of code, unique data and network infrastructure. We summarize the crucial links that played a role in these major cases.

The source code of the toolset appears to be modified with every attack. There are several static features that vary between the instances: dynamic WINAPI resolving and the obfuscation of procedure and library names, the form of self-delete batches, the list of domains leveraged for fake TLS communication, the formatting strings included in TCP backdoors, the use of commercial packers, etc. The variety is so huge, that it suggests that the Lazarus group may be split into multiple, independent, code-sharing cells. We support the idea by exploring the undocumented PE rich header metadata which proves there are various building environments producing the malicious binaries.

There are several instances from the Lazarus toolset that have not been publicly reported. In this part we focus on lesser known findings: the very first iteration of WannaCry from 2016, in-the-wild experimenting with the malicious Java downloaders targeting multiple platforms, the use of a custom malware packer, the presence of strange artifacts like Chinese language or South Korean cultural references. Moreover, we will present previously unpublished details about the cyber sabotage attack against an online casino in Central America from late 2017, where we will also reveal the modus operandi of the cell that was behind the attack.



Other VB2018 papers

VB2018 partner presentation (TBA)

Hide'n'Seek: an adaptive peer-to-peer IoT botnet

Adrian Șendroiu (Bitdefender)
Vladimir Diaconescu (Bitdefender)

Last-minute paper (TBA)