One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 3027251 |
| Date de publication | 2021-07-06 10:00:00 (vue: 2021-07-06 11:05:39) |
| Titre | Lazarus campaign TTPs and evolution |
| Texte |
Executive summary
AT&T Alien Labs™ has observed new activity that has been attributed to the Lazarus adversary group potentially targeting engineering job candidates and/or employees in classified engineering roles within the U.S. and Europe. This assessment is based on malicious documents believed to have been delivered by Lazarus during the last few months (spring 2021). However, historical analysis shows the lures used in this campaign to be in line with others used to target these groups.
The purpose of this blog is to share the new technical intelligence and provide detection options for defenders. Alien Labs will continue to report on any noteworthy changes.
Key Takeaways:
Lazarus has been identified targeting defense contractors with malicious documents.
There is a high emphasis on renaming system utilities (Certutil and Explorer) to obfuscate the adversary’s activities (T1036.003).
Background
Since 2009, the known tools and capabilities believed to have been used by the Lazarus Group include DDoS botnets, keyloggers, remote access tools (RATs), and drive wiper malware. The most publicly documented malware and tools used by the group actors include Destover, Duuzer, and Hangman.
Analysis
Several documents identified from May to June 2021 by Twitter users were identified as being linked to the Lazarus group. Documents observed in previous campaigns lured victims with job opportunities for Boeing and BAE systems. These new documents include:
Rheinmetall_job_requirements.doc: identified by ESET Research.
General_motors_cars.doc: identified by Twitter user @1nternaut.
Airbus_job_opportunity_confidential.doc: identified by 360CoreSec.
The documents attempted to impersonate new defense contractors and engineering companies like Airbus, General Motors (GM), and Rheinmetall. All of these documents contain macro malware, which has been developed and improved during the course of this campaign and from one target to another. The core techniques for the three malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros.
First iteration: Rheinmetall
The first two documents from early May 2021 were related to a German Engineering company focused on the defense and automotive industries, Rheinmetall. The second malicious document appears to include more elaborate content, which may have resulted in the documents going unnoticed by victims.
The Macro has base64 encoded files, which are extracted and decoded during execution. Some of the files are split inside the Macro and are not combined until the time of decoding. One of the most distinctive characteristics of this Macro is how it evades detections of a MZ header encoded in base64 (TVoA, TVpB, TVpQ, TVqA, TVqQ or TVro), by separating the first two characters from the rest of the content, as seen in Figure 1.
Figure 1: Concealing of MZ header, as captured by Alien Labs.
The rest of the content is kept together in lines of 64 characters, and because of this, YARA rules can be used to detect other, typical executable content encoded in base64 aside of the MZ header. In this case, up to nine different YARA rules alerted to suspicious encoded strings in our Alien Labs analysis, like VirtualProtect, GetProcAddress, IsDe |
| Envoyé | Oui |
| Condensat | $a1 $a10 $a2 $a3 $a4 $a5 $a6 $a7 $a8 $a9 *ertut* //run //this /root 001: 002: 003 003: 0x5a4d 0xcfd0 1000 1690ce43530acf725f33aa30f715855d226d63276557d0e33fbcaf9b5ff9b84c 2009 2017 2021 2033135: 294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c 360coresec 3b33b0739107411b978c3cbafb312a44b7488bd7adabae3e7b02059240b6dc83 5c206b4dc2d3a25205176da9a1129c9f814c030a7bac245e3aaf7dd5d3ca4fbe 65f7211c3d7fde25154b4226a7bef0712579e0093020510f6a4bb4912a674695 8e1746829851d28c555c143ce62283bc011bbd2acfa60909566339118c9c5c97 9362425ae690b5bf74782eafe959195f25ac8bad370794efd4a08048141efb32 97515b70184f4553e5ae6b51d06a148b30d0a6632c077b98ad320e3c27cfd96f @1nternaut aaaaaaaaaa= able abused access actions activities activity actors addition additional additionally adversary adversary’s after aiding airbus alerted alien alienlabs alienvault all allgraphicart alphabetically also analysis and and/or another any appears application april arbitrary are ascii ascii aside assessed assessment associated asterisk at&t att&ck attachment attack attackers attempted attempting attributed author automotive available avoid back background bae base64 based beacon because become been before behavior being believed binary blog boeing botnets but c&c c:/drivers campaign campaigns can candidates cannot capabilities capable captured car carefully cars case certut* certutil changes characteristics characters chosen classified clean clicktorun cmd cnc code com com/airbus com/general com/image com/logo com/pulse/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c combined command communication communications companies company component compromised concatenated concealing conclusion condition: condition: confidential contact contain contains content content continue continues contractors control copied copies copy copying core correlation correspond could course created createobject createtextfile creating data date ddos decode decoded decoding defenders defense delete delivered deobfuscate/decode deploy description destination destover detect detected detection detections detects developed did different directly disguised disk distinctive dll doc doc: document document; documented documents docx doing domain domains dos download downloaded downloader drive drivers during duuzer e6dff9a5f74fff3a95e2dcb48b81b05af5cf5be73823d56c10eee80c8f17c845 early ebd6663d1df8228684a0b2146b68ce10169fc41c5e91c443fdf6f844f5ffeb62 edr elaborate emerged emphasis employees encoded encoded encoded encoding encountering endpoint engineering environments eset etc europe evades evasion evolution exchange exe exe executable execute executed executes executing execution execution: executive exp* expected expiration explorer extension extracted f53d4b3eb76851e88c6f30f1ecc67796bbd6678b8e2e9bc0a8f2582c42a467c6 f5563f0e63d9deed90b683a15ebd2a1fda6b72987742afb40a1202ddb9e867d0 fact faculties failing ffec6e6d4e314f64f5d31c62024252abde7f77acdd63991cb16923ff17828885 figure file filenames files filesize filesystemobject findings first focused folder followed following follows free from full further general german getcurrentprocessid getprocaddress going government group groups had hangman hardcoded has have header headers high historical host how however http https https://otx identified ids impersonate importance improved include include: includes: increase indicated indicator indicators industries inf infection information infrastructure initial inject injection injections inside intelligence interpreter investigators iocs ir/logo isdebuggerpresent iteration iteration: iterations its job jun2021 june kept key keyloggers known labs labs™ last later lazarus lazarus’ lazaruscampaign least left legitimate leveraged like line lines linked list listed llc lnk located long longer lure lured lures macro macrodoc macros made maldoc malicious malware mapped masquerading matrix mavinject may mentioned meta: method methods microsoft minor mislead mit |
| Tags | Malware Threat Guideline Medical |
| Stories | APT 38 APT 28 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.