Unravelling Lazarus

Chris Doman
TLP White version
Early Reports - Nothing solid here

2004
News reports that Wifi networks used by Republic of Korea Army during joint US exercises
News reports that institutions including the National Assembly, Atomic Energy & Defense Research institutions are compromised.

2006
News reports of compromise of US and South Korean military organisations

2007
March 2007 - News reports of compromise by NK of stealing information on toxic chemicals and response plans from Ministry of
Environment.
Same month as the first Operation Troy samples *likely* come from.
2007+ Operation Troy - Military Espionage
Lots of variants and primarily seen in espionage attacks against military
Initially IRC communications, later HTTP
Disclosed by McAfee in 2013

March 7, 2007 - Probably development of first generation malware used in “Operation Flame”
Later closely related malware in “Operation 1Mission”, “Operation Troy”, and the DarkSeoul wiper 2013
attacks.
D:\VMware\eaglexp(Backup)\...BsDll.pdb
E:\Tong\Work\Op\1Mission\Team_Project\[2012.6~]\HTTP Trojan 2.0\HttpDr0pper\ Win32\Release
E:\Work\BackUp\2011\nstar_1103\BackDoor\BsDll-up\Release\BsDll.pdb
Z:\1Mission\Team_Project\ [2012.6~]\HTTP Troy\HttpDr0pper\Win32\Release
Z:\source\1\HttpTroy\BsDll-up\Release\BsDll.pdb
Z:\Work\Make Troy\Concealment Troy...
Lots of links
Lots of code re-use, a single xor key (dkwero38oerA^t@#) links up most of the operations

Operation Troy by McAfee

Z:\MAKE TROY\, by Kyle Yang
2009 Dozer DDoS Attacks
MyDoom variant (big email worm in 2004) that drops the DDoS backdoor and MyDoom to spread further.

Three waves (July 4 - July 7 - July 9) of DDoS attacks, different sites each time.

After July 10 deletes documents files, writes to the MBR:

Memory of the Independence Day

Sites DDoS’s included:

www.president.go.kr
www.whitehouse.gov
www.mnd.go.kr
www.mofat.go.kr
www.assembly.go.kr
www.usfk.mil
2010… more DDoS

DDoS on Blue House, Ministry of Foreign Affairs, Korea Exchange Bank.

Smaller scale, didn’t look to have a malware component.
2011… KoreDos “Ten Days of Rain” DDoS
March
DDoS attacks against South Korean media, financial, and critical infrastructure targets.
Deletes documents, writes 0’s to the MBR after 7 days.
News reports indicated from downloading infected games, one South Korean separately prosecuted for
outsourcing infected game development to North Koreans in Shenyang.

April - There were also reports of later attacks against Nonghyup bank from a compromised PC of a
contractor

Websites included:
• ahnlab.com
• airforce.mil.kr
• army.mil.kr
• assembly.go.kr
• ...
2012 June
2012 JoongAng Newspaper Data Theft
2013 March - Jokra DDoS and Wiper Attacks
- Two banks, three TV stations shut down
- Wipes MBR and all files with “PRINCIPES” or “HASTATI.”
- Infection via email, patch management systems
2013 March - LG
2013 June - Castov DDoS and Wiper attacks
- DDoS Distributed via compromised auto-update mechanism from a
file-storage software called SimDisk.
- Used Tor for command and control.
- DDoS of gcc.go.kr DNS server
- DiskWiper (KorHigh)
2013 June - Websites defaced on both sites...
Lots of links between various “Dark Seoul” attacks
- Overlaps between various DDoS / Wiper attacks discussed by Symantec
- Links to later Sony / Lazarus attacks in “Seoul to Sony”
2014 - Reports of continued attacks
March - Reports that Seoul Metro was compromised

August - Reports of a compromise of a hospital in Seoul

June 25 (Independance Day) -

Dumps from 2.5 million Saenuri Party members, 300 thousand soldiers, 100
thousand Cheongwadae homepage users and 40 thousand United States Forces
Korea members published online.
2014 November...
Reportedly asked for money before publishing stolen data
2014 December - Hydro & Nuclear Power
MBR Wiper and data theft
2016 July - Interpark Online Mall Data Theft
- Employee's personal cloud was compromised
- Sent spearphish with decoy doc of their children laughing
- Hackers demanded 3 billion won (2 million euros) of bitcoin to not publish the
data
- Deployed Trojan.Alphanc - Symantec links to WannaCry, Duuzer, other
Lazarus attacks
- These details from Ashley Shen and Moonbeom_Park HitB talk
2015 onwards - “Bluenorroff” SWIFT attacks
● October 2015 - First known SWIFT attack - a bank in the Philippines.
● February 2016 - Bangladesh bank SWIFT incident
● Later 2016 - Continued SWIFT attacks in South East Asia, Africa
● February 2017- Watering holes on bank sites
● Details in BAE, Trend Micro reports
Bluenorroff - Links & differences
See BAE posts, Kaspersky

Code reuse from known Lazarus malware

- See BAE “Cyber Heist Attribution”

Different (lack of) packing, obfuscation etc.

- See Kaspersky “Chasing the Bad Guys from Bangladesh to Costa Rica”
2017 - More activity for monetary gain
- Mining cryptocurrency on compromised hosts

- South Korean bitcoin exchanges (eg; Yapizon) compromised

- Backdoored credit card software distributed on carding forums

See Kaspersky, FireEye

2013 + BmDoor / Blackmine
- Multiple stage backdoor and rat
- First version communicates with Tor and has the signature BM instead of MZ
- Delivered by spearphish and Adobe Flash vulnerabilities

- AhnLab seem to class this under the same activity as Rifle...

2015 November - Rifle - Stolen signature
Simple Gh0st variant, often signed by Initech.
Reportedly compromised Initech via vulnerability in Nicstech SafePC
DLP Solution
Encryption key was hard coded.
Lots of Rifle malware communicates with caccm[.]org.
Catholic Internet Station

E:\Data\MyProjects\TroySourceCode\tcp1st\rifle\Release\rifle.pdb - Simple
backdoor
E:\Data\MyProjects\TroySourceCode\tcp1st\sniffer-Copy\Release\dll_like_ex
e.pdb - Sniffer
E:\Data\MyProjects\TroySourceCode\tcp1st\server\Release\server.pdb -
Server side
2015 November - Rifle - Spearphishing Defense
- Themed around ADEX exhibition, targeted defense companies
2016+ - Andariel (Rifle & Phandoor?)
2016 March - SK Group, Hanjin, Korea Airline, KT - Rifle Malware
- Reportedly over 1TB of files stolen, 140k machines across 27 companies infected
- Vulnerability in TCO!Stream - Asset Management System.

2016 August - South Korean Ministry of National Defense (Cyber Command) - Phandoor malware
- 3000 hosts compromised, 700 on military intranet

Many of these details from talks by Kyoung-Ju Kwak, Moonbeom Park, Ashley Shen)
2016+ - Andariel (Rifle & Phandoor)
2017 March - ATM service provider
- Compromised internal network with antivirus update server
- Connected to same C2 as samples in the MND compromise

- sample_atm.exe(MD5): 4C9A343510E9B1F78E98DDC455E9AB11
- java.exe(MD5): 5C3F89ABFA560DECECF1B46994290D3F
- javaupdate.exe(MD5): 34FD02BE8006614F7B1BAE4D453E19F4
- sample_atm.exe(MD5): 492AE026C41D516F107055E0487BE328
- See https://kkomak.wordpress.com/2017/03/22/atm-%EB%A9%80%EC%9B%A8%EC%96%B4/ , SAS talk

2017 May - Watering Hole on labor union of bank

- ActiveX vulnerability (still!). ActiveX also seen on North Korean Defectors site www.nkfreedom[.]org...
Some recent Rifle

- Removed
Lots of overlaps
- See "Silent Rifle" by Kyoung-Ju Kwak
Kimsuky - 2013+

- Targeting mostly think tanks

- Primarily email based backdoor
- Though also some web command and control, TeamViewer installations
Very weak links to Troy?
Kimsuky
E:\WORK\Attack\02_jin\TeamViwer\ie_moth\Release\ie_moth.pdb
E:\WORK\Attack\03_kinu\TeamViwer_IE\ie_moth\Release\ie_moth.pdb

Troy
E:\WORK\BackUp\2011\nstar_1103\BackDoor\BsDll-up\Release\BsDll.pdb
- Removed
How might you group all this together?
- From secondary sources (a.k.a “other people’s work”) with some quick checks
- What do you think? :)

(Some Parts Removed)

A quick note on IP addresses
Subnets reportedly assigned to NK
● 210.52.103.xxx - CN
● 210.52.109.xxx
● 77.94.35.xxx - Old satellite link
● 175.45.176.xxx - KP
● 175.45.177.xxx
● 175.45.178.xxx
● 175.45.179.xxx
● NEW TransTeleCom

Kaspersky saw “2017-01-18 11:12: Testing bot from 175.45.xxx.xxx” from C2 server logs
Group IB saw backend infrastructure controlled by 175.45.178.222 via
They also reference a South Korean TV report referencing a NK IP in the same /24
Is it from this?
Serving Adobe Flash Exploit CVE-2014-0515:

175.45.178.19 - - [07/Jul/2015:17:20:41 +0900] “GET /files/env/list.php HTTP/1.0" 200 10099

"http://www.sdgfaith.com/files/env/list.php" "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101
Firefox/31.0" 1 873
...
175.45.178.19 - - [11/May/2016:11:12:43 +0900] “POST /load/1/register.php HTTP/1.0" 200 14983
"http://www.fileshare1.com/load/1/register.php" " Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0)
Gecko/20100101 Firefox/13.0.1" 1 1874
...

Windows XP Firefox
What about WannaCry (oh god no!)
No need to cover this. But a couple of quick notes...
- Lots of other worms bouncing around since 2009
- Cryptocurrency seems relevant
- Multiple code overlaps is a common feature in tracking activity
A tool for finding overlaps
Filtering down:
- All hex patterns that start with 558B etc. function prologs
- Remove whitelisted, from 100 GB of “clean files”
- Remove patterns that that appear in a single family of lazarus malware
- Manually prune packers, unrelated malware - The hard bit
- End up with - ~ 250 yara rules for compiled functions that are in multiple families
Results are “ok”
37 samples from a retrohunt of 62 TB of files.