The infamous Lazarus APT group (aka HiddenCobra, APT37) was yet again spotted agitating the world of cyber. This time security analysts revealed a highly targeted cyber-espionage campaign aimed at major manufacturing and electrical industry enterprises across Europe.
Lazarus Toolset and Attack Scenario
The initial attack vector used by Lazarus hackers was similar to that leveraged in Operation North Star aimed against the defense and aerospace contractors. Particularly, cyber-criminals developed comprehensive LinkedIn social engineering tactics to lure victims. Attackers pretended legitimate HR-managers of leading international companies to creep into trust and convenience employees into opening spear-phishing attachments on the corporate devices. In case executed, malicious Word documents or ISO files dropped a bundle of malware onto targeted networks to provide hackers with the ability to move laterally and perform internal reconnaissance. In most cases, threat actors used a custom version of Mimikatz for credentials dumping alongside known exploits (e.g. EternalBlue) to gain persistence and escalate their privileges. Then, attackers deployed BLINDINGCAN/DRATzarus RAT to search for sensitive data. Lazarus hackers exfiltrated sensitive pieces of information via complex C&C infrastructure based on compromised websites, which allowed APT members to evade detection. Notably, most websites were abused via public exploits. As security researchers conclude, the campaign was rather long-lasting (February-November 2020) and particularly aimed at cyber-espionage since no direct harm was made to the compromised networks.
Detection Content for Lazarus Attack
Emir Erdogan developed an exclusive Sigma rule for the latest Lazarus APT campaign detection, which is already available at the Threat Detection Marketplace:
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
EDR: Carbon Black, Elastic Endpoint
Technique: Registry Run Keys / Startup Folder (T1060)
Lazarus Group Overview
North-Korean Lazarus group is known as one of the most prolific actors, both in terms of financially-motivated campaigns and politically-oriented attacks in favor of Kim Jong-un’s government. The group has been active since 2009, standing behind such major cybersecurity incidents as the 2014 security breach of Sony Pictures, the 2016 bank heist against Bangladesh Central Bank, and the 2017 WannaCry attack. 2020 was also fruitful for Lazarus. Hackers were involved in a lucrative campaign against cryptocurrency exchanges, cyber-espionage operations aimed at major international enterprises, and targeted attacks against pharmaceutical companies developing COVID-19 vaccines.
Search for the best SOC content compatible with your security solutions? Get a free subscription to our Threat Detection Marketplace. Enjoy coding and want to contribute to the threat hunting initiatives? Join SOC Prime’s Threat Bounty Program for a safer future!