Last week, CISA, FBI, and DoD released malware analysis reports on recently discovered tools of the notorious Lazarus group that perform operations in the interests of the North Korean government. The malware variants, called COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH, can be used for reconnaissance and deleting confidential information on target systems. TAINTEDSCRIBE malware is used as a backdoor implant disguised as Microsoft’s Narrator. Lazarus group uses it for downloading malicious modules from the C&C server, downloading and executing files, enabling Windows command line interpreter, creating and terminating processes.

Lazarus group (aka Hidden Cobra) is one of the most dangerous threat actors which conducts both financially-motivated attacks and cyber espionage campaigns. Attackers managed to steal about $2 billion, in several cases, the group used TrickBot malware (the Anchor Project) to initially penetrate the organization of interest. 

New threat hunting rule by Ariel Millahuel uncovers the Lazarus group activity of using TAINTEDSCRIBE Trojan to maintain persistence on victim networks and further network exploitation:

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, RSA NetWitness

EDR: Windows Defender ATP, Carbon Black, Elastic Endpoint



Tactics: Persistence, Privilege Escalation

Techniques: Startup Items (T1165)

You can learn more about tactics used by the Lazarus group and find more content to detect them in the MITRE ATT&CK section on Threat Detection Marketplace:

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
Blog, Latest Threats — 2 min read
Eugene Tkachenko