![]() These lures would be consistent with previous attack campaigns attributed to Lazarus in 20 such as Operation In(ter)ception and Operation DreamJob that targeted employees from the aerospace and defence industries. The media employee in Belgium was targeted via email with a document called AWS_EMEA_Legal_.docx that they speculate masqueraded as a job offer related to a legal position at Amazon Web Services. ![]() While the researchers weren’t able to recover the contents of the document, they believe it was likely a fake job offer related to Amazon’s space program, Project Kuiper. The aerospace employee was targeted via LinkedIn with a message that involved a document called Amzon_Netherlands.docx. In the new attacks that ESET detected and attributed to Lazarus, also known as Hidden Cobra, the hackers targeted the employee of an aerospace company in the Netherlands and the employee of a media organisation in Belgium. ![]() The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way.”Īttackers used fake job offers as entry point The group takes advantage of various pieces of malware to compromise organizations and Internet end-users to also bypassing security mechanisms such as EDR and antivirus.“This is the first ever recorded abuse of this vulnerability in the wild. Lazarus APT is a popular threat group active since at least 2009 and responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. "C:\Windows\System32\cmd.exe" /c C:\ProgramData\Adobe\Adobe.bin -p 0x53A4C60Bīelow is an example of a decoded C2 configuration:įigure 6: Example of decoded configuration ( source ). The encryption key can be passed using the option “-p” when the executable is started (0x53A4C60B). There are some patterns in the location of the file: LCPDot saves configuration data including C2 servers in a separate file. This malware uses the RC4 encryption key and Base64 (XOR+Base64) to encode the communication with the C2 server.įigure 5: LCPDot encryption/decryption block of code and XOR+Base64 strings with C2 configuration hardcoded.Īs observed in Figure 5, LCPDot contains its configuration hardcoded (XOR+Base64 string). LCPDot is used during the lateral movement on the victim’s internal network along with Torisma. Some samples of LCPDot are protected and obfuscated using the VMProtect packer that virtualizes part of the code and executes it on the fly making hard its analysis during the malware analysis activity. Torisma is a modular malware capable of downloading and executing additional modules obtained from the C2 server.Īnother malware used in Operation Dream Job is LCPDot, a malware similar to Torisma. This piece of malware is also equipped with the capability of sending information of infected hosts and executing specific files. Initially, this malware sends some details to the C2 server on the infected machine such as the MAC address and more that will identify the new infection.įigure 4: Torisma initial request. This algorithm is also used for encrypting C2 server information in the configuration.įigure 3: VEST-32 algorithm to encrypt the communication with the C2 server.Īs observed in Figure 3, the value: ff7172d9c888b7a88a7d77372112d772 is used as the encryption key found on other samples of this family. The malware uses the VEST-32 algorithm to encrypt the communication with the C2 server. If the configuration file is valid, Torisma checks whether the first bytes match a 12-byte signature:Ġx98 0x11 0x1A 0x45 0x90 0x78 0xBA 0xF9 0x4E 0xD6 0x8F 0圎Eįigure 2: Torisma configuration file with the first 12-byte highlighted ( source ). %LOCALAPPDATA%.IdentityService\AccountStore.bak The configuration of the C2 server is loaded from an external file located in the following path: "C:\Windows\System32\rundll32.exe" C:\ProgramData\USOShared\usosqlite3.dat,sqlite3_create_functionex mssqlite3_server_management jp-J Torisma DLL is then executed using a command line as presented below: The malware appears in a form of a DLL file and loaded into the memory using the DLL loading technique via rundll32.exe.įigure 1: Torisma DLL executable by Lazarus APT. This piece of malware downloads and executes various modules from external servers and is disseminated using Microsoft Word files. ![]() Torisma is one of the malware types used in Operation Dream Job by Lazarus APT.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |