Lazarus Targets Chemical Sector and IT Industry of South Korea: Sigma-Based Detection Content

[post-views]
April 20, 2022 · 5 min read
Lazarus Targets Chemical Sector and IT Industry of South Korea: Sigma-Based Detection Content

A notorious APT group, Lazarus, sponsored by North Korea’s government, expands its attack surface, targeting entities in the chemical sector along with IT organizations, mostly in South Korea. Researchers believe that the latest campaign is a part of Lazarus’ Operation Dream Job plans, detected in August 2020.

Lazarus Activity Detection

SOC Prime released a batch of Sigma rules aimed to detect Lazarus APT activity, crafted by our seasoned Threat Bounty developers Osman Demir and Nattatorn Chuensangarun, who are always on the lookout for new threats. Utilize the following detection content to scan your system for malicious findings related to Lazarus APT’s recent attacks:

Suspicious Lazarus APT Persistence by Adding of Scheduled Tasks (via security) – roots out Lazarus APT group presence related to scheduled tasks creation on the victim’s system

Possible Lazarus Group Activity by Detection of Associated Files [Targeting Chemical Industry] (via file_event) – this rule reveals Lazarus activity associated with relevant malicious files

Possible Lazarus Group Execution to Take Screenshots(SiteShoter) of Web Page (via process_creation) – spots Lazarus activity associated with using malicious .dat file

Possible Lazarus Group Execution by Injecting into System Management Software INISAFE Web EX Client (via process_creation) – identifies the trails left by Lazarus hackers by injecting Dll files into INISAFE Web EX Client

Suspicious Lazarus APT Execution by Creation of System Service (via process_creation) – this rule detects the Lazarus APT group activity related to system service creation on the victim’s system

Possible Lazarus Group Persistence by Created Scheduled Tasks Targets Chemical Sector (via process_creation) – the detection hunts out the Lazarus group activity marked by adversaries’ attempts at ensuring their persistence.

Follow the updates of detection content related to Lazarus APT in the Threat Detection Marketplace repository of the SOC Prime Platform here. Are you a threat hunter working on Sigma- or Yara-based malware detections? Join our Threat Bounty program to share your rules via the Threat Detection Marketplace repository and get community support with tons of other benefits, including making this into a considerable stream of income.

View Detections Join Threat Bounty

Operation Dream Job

Lazarus activity dubbed Operation Dream Job entails exploiting phony job opportunities to trick victims into following harmful links or clicking on infected files, resulting in the deployment of espionage malware. Symantec researchers labeled this branch of Lazarus activity Pompilus. The launch of the campaign dates back to the Summer of 2020.

The spikes in Operation Dream Job activity were noticed in August 2020 and July 2021, with the previous campaigns targeting the government, defense, and engineering sectors. The current campaign started in early 2022 and is still ongoing, sharing the same toolset and techniques as its preceding “sister” campaigns.

Lazarus Group’s Latest Kill Chain Attack Analysis

The state-sponsored North Korea-linked APT has been in the spotlight since at least 2009, involved in high-profile attacks, including cyber espionage campaigns. At the turn of 2022, the Lazarus group was spotted in a spear-phishing attack leveraging Windows Update and GitHub C&C server to spread malware. Hard on the heels of the initial attack, Lazarus hackers were reported to make subsequent attempts to abuse Windows Update and GitHub to bypass detections weaponizing malicious macros.

Symantec threat hunters have recently revealed the ongoing cyber espionage campaign targeting South Korea’s chemical industry and IT sector, which seems to be a continuation of the infamous malware campaign dubbed Operation Dream Job that started in 2020. Similar tools and IoCs detected in both campaigns serve as feasible evidence to link them. The first signs of a new wave of cyber-attacks linked to the Operation Dream Job activity trace back to January 2022, when Symantec addressed organizations, mainly in the chemical sector, to remain vigilant for potential cyber-attacks by Lazarus APT aimed at stealing intellectual property. Notably, Symantec’s Lazarus warning came out on the very same day that the US government reported a $5 mln reward for relevant data that might contribute to disrupting North Korean sanctions-busting efforts.

The first kill chain element is the receipt and deployment of the malicious HTM file on the victim’s system, with its consequent embedding into INISAFE Web EX Client management software. The DLL file used in the infection chain is normally a Trojanized tool that downloads and launches an extra payload from a C&C server with a specific URL parameter key/values ‘prd_fld=racket.

Researchers revealed the lateral movement in the targeted network using Windows Management Instrumentation (WMI) along with credential dumping and scheduling tasks set up to run as a particular user. In addition, Lazarus hackers have leveraged IP logging tools, WakeOnLAN protocol to turn on or off the computer remotely, File Transfer Protocol (FTP) executed under the MagicLine process, and more tools.

The Operation Dream Job campaigns have been in progress for a couple of years, with the adversary tactics still effective and posing a serious threat to organizations in multiple industries. Therefore, implementing a proactive cybersecurity approach and improving cybersecurity posture can help organizations withstand the sophisticated APT attacks of such scale. Join SOC Prime’s Detection as Code platform to stay one step ahead of attackers and take your cyber defense capabilities to the next level. 

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts