APT PROFILE – LAZARUS GROUP

The Lazarus Group is a highly sophisticated, state-sponsored cyber threat group attributed to the North Korean government. They are also known by many other names, including Hidden Cobra, APT38, and Guardians of Peace. Active since at least 2009, this group is one of the most prolific and dangerous advanced persistent threat (APT) actors in the world. Their attacks are not only for cyber espionage but also for financially motivated cybercrime, which sets them apart from most other state-backed actors.

Alias:
Onyx Sleet, APT 38, APT-38, APT38, Alluring Pisces, Andariel, AppleJeus, Appleworm, Bluenoroff, Bureau 121, CL-STA-240, CageyChameleon, Chollima, Citrine Sleet, Covellite, CryptoCore, Dark Seoul, Diamond Sleet, Group 77, Group77, Guardians of Peace, Hastati Group, Hidden Cobra, Jade Sleet, Jumpy Pisces, Labyrinth Chollima, Lazarus, Moonstone Sleet, NICKEL ACADEMY, NewRomanic Cyber Army Team, Operation DarkSeoul, Operation GhostSecret, Operation Troy, PUKCHONG, REF9135, Sapphire Sleet, Silent Chollima, Slow Pisces, Stardust, Stonefly group, TA444, TraderTraitor, UNC4899, Unit 121, Who is Hacking Team, ZINC

Motivation:
Financial Gain, Espionage, Political Agenda.

Targeted Industries

Targeted Countries
South Korea, Japan, India, Vietnam, United States, Brazil, China, Russia, Poland, Thailand, Turkey, Indonesia, Malaysia, Mexico, Iran, Iraq, Saudi Arabia, Taiwan, United Kingdom, France, Germany, Italy, Ukraine, Netherlands, Bangladesh, Chile, Australia, Canada, Singapore, Switzerland.

Tools Used:
NestEgg, Tdrop2 , SHARPKNOT, RawDisk, Destover, CleanToad, ELECTRICFISH, Quickcafe, Http Dr0pper, NachoCheese, DeltaCharlie, PowerBrace, BTC Changer, HotelAlfa, Castov, Volgmer, DoublePulsar, Plink, BlindToad, PowerRatankba, PowerShellRAT, RomeoNovember, ValeforBeta, PEBBLEDASH, Koredos, RomeoEcho, RomeoWhiskey, ARTFULPIE, RmeoGolf, Yort, NukeSped, RomeoFoxtrot, Vyveva, Troy, Bookcode, Bitsran, CheeseTray, RedShawl, SierraCharlie, TFlower, Hawup, SheepRAT, FallChil RAT, Stunnel, RomeoCharlie, RomeoDelta, Rifdoor, Jokra, Romeos, SierraAlfa, SLICKSHOES, Aryan, ClientTraficForwarder, HOPLIGHT, WolfRAT, Tdrop, Andaratm, BanSwift, Recon, 3Rat Client, Duuzer, BUFFETLINE, EternalBlue, netsh, Mydoom, Concealment Troy, DaclsRAT, KillDisk, BADCALL, MATA, OpBlockBuster, CookieTime, Dtrack, Hermes, ATMDtrack, Mimikatz, COPPERHEDGE, DyePack, RomeoMike,Hotwax, RomeoBravo, Gh0stRAT, PowerTask, RomeoAlfa, Wormhole, Brambul, Fimlis, AuditCred, BISTROMATH, Joanap, HTTPTroy, KEYMARBLE, RisingSun, Bankshot, PhanDoor, 3proxy, ProcDump , RatankbaPOS, VHD, HOTCROISSANT, PSLogger, RomeoHotel, PowerSpritz, HtDnDownLoader, WbBot, VSingle, BLINDINGCAN, TAINTEDSCRIBE, BootWreck, Contopee, Dozer.

Malware used by the Lazarus Group:
JuicyPotato, Volgmer, BADCALL, NineRAT, HARDRAIN, Destover, LightlessCan, RATANKBA, Proxysvc, OpenCarrot, Vyveva, RUSTBUCKET, Torisma Spyware, Lazardoor, AndarLoader, Marstech1, DarkComet, TYPEFRAME, ModeLoader, AuditCred, WannaCry, APPLEJEUS, CivetQ, Koi Stealer, MATA, SIGNBT, RustBucket, RustDoor, ThreatNeedle, Bankshot, XORIndex, BeaverTail, FALLCHILL, QuiteRAT, PyLangGhost RAT, HOPLIGHT, KEYMARBLE, Kaolin RAT, Scout, DLRAT, BottomLoader, LPEClient.

ATTACK FLOW DIAGRAM OF APT THREAT ACTOR LAZARUS GROUP

RECENTLY EXPLOITED VULNERABILITIES BY THE LAZARUS GROUP

Lazarus Group’s Recent Campaign Highlights and Trends

Recent Campaign Highlights

• Bybit Cryptocurrency Exchange Heist: In one of the largest cryptocurrency heists to date, the Lazarus Group is widely attributed to have stolen an estimated $1.5 billion in Ethereum from the Dubai-based exchange Bybit. This attack underscores the group’s primary motivation of acquiring foreign currency for the North Korean regime.
• “Operation SyncHole”: This campaign targeted at least six South Korean entities in the software, IT, financial, semiconductor, and telecommunications sectors. The attackers utilized a watering hole strategy, compromising legitimate South Korean websites to infect visitors with the ThreatNeedle malware. A key element of this campaign was the exploitation of vulnerabilities in widely used South Korean software, such as Cross EX and Innorix Agent, to gain initial access and move laterally within compromised networks.
• “Phantom Circuit”: This sophisticated supply chain attack has seen the Lazarus Group compromise developer communities and software vendors. By injecting malicious code into legitimate software updates, the group has been able to distribute its malware on a wider scale, enabling both financial theft and espionage.

Key Trends in Lazarus Group’s Operations

• Intensified Focus on Cryptocurrency: The cryptocurrency industry remains a prime target due to the potential for large, immediate financial returns. The group has demonstrated a deep understanding of blockchain technology and cryptocurrency platforms, enabling them to execute complex heists.
• Sophisticated Supply Chain Attacks: Lazarus is increasingly targeting the software supply chain, recognizing it as a highly effective method for widespread and often stealthy distribution of their malicious payloads.
• Exploitation of Regional Software: The group continues to invest in researching and exploiting vulnerabilities in software that is popular in specific geographic regions, as seen with their targeting of South Korean applications. This tailored approach increases their success rate in targeted attacks.
• Evolving Malware Arsenal: While reusing and modifying existing malware, Lazarus also continues to develop and deploy new tools. Their malware often employs multiple layers of obfuscation and anti-analysis techniques to evade detection by security solutions.

Tactics, Techniques, and Procedures (TTPs)

The following TTPs are based on the MITRE ATT&CK framework and represent a high-level overview of Lazarus Group’s recent activities: