Ever since the internet became a thing, there have been groups of people that work together to hack systems. Some of the most notorious groups being Anonymous, Chaos Computer Club, and Lizard Squad. For the past couple years, Kaspersky has been tracking down a particular hacker group known by the name of ‘Lazarus.’ The outfit is headquartered in North Korea and according to Kaspersky, is one of the most active hacker groups of 2020.

Enter Lazurus

Lazarus has been responsible for a number of attacks against defense companies. But these are not your typical attacks. Lazarus performs what’s called APT (Advanced Persistent Threat) attacks. An Advanced Persistent Threat is exactly what it sounds like. It’s an advanced type of attack that is persistent, meaning once a system is breached, the attacker can come and go as he/she pleases at any given time using a backdoor.

These types of threats are highly sophisticated in nature and can have destructive consequences. High-value entities such as governments and corporations are the typical targets of APTs.

A New Tool For Communist Spies

Kasperksy says Lazarus’ motives have historically been securing funding for Kim Jong-un’s regime. Recently, however, the hacking group has pivoted toward cyberespionage. By using spear-phishing attacks, Lazarus was able to steal data directly from targeted machines. Spear-Phishing is a very specific phishing attack that targets a specific person in an organization. Usually, a high ranking official like a CEO.

First, the group analyzed publicly accessible information about the targeted company and identified email addresses belonging to different departments before launching the attack. Then, phishing emails were carefully designed and written on behalf of a medical center within the target organization. To make the emails appear legitimate, the attackers used the personal details of the attacked organization’s deputy head doctor in the email signature.

They also registered accounts with a public email service to make sure the sender’s email address appeared identical to the medical center’s real email address.

There Are Layers to This S#%!

The malware, ThreatNeedle, is a three-stage deployment consisting of an installer, a loader, and a backdoor. The latter being capable of manipulating files and folders, system profiling, backdoor process control, and executing arbitrary code. Once inside, they collected credentials using a tool called Responder.

Then, they traveled laterally, searching for crucial assets. They also found ways to bypass network segmentation by gaining access to an internal router machine and configuring it as a proxy server. This allowed them to use a custom tool to exfiltrate the stolen data from the intranet network, sending it to a remote server.

This investigation helped Kaspersky to establish strong links between multiple Lazarus campaigns, reinforcing their attribution and identifying the various tactics and shared infrastructure used by the group in its various attacks.

Matthew Walls