Posts: 14,443
Threads: 9,519
Thanks Received: 9,035 in 7,185 posts
Thanks Given: 9,810
Joined: 12 September 18
27 December 20, 07:59
(This post was last modified: 27 December 20, 07:59 by harlan4096.)
Quote:
As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that actors, such as the Lazarus group, are going after intelligence that could help these efforts by attacking entities related to COVID-19 research.
While tracking the Lazarus group’s continuous campaigns targeting various industries, we discovered that they recently went after COVID-19-related entities.
They attacked a pharmaceutical company at the end of September, and during our investigation we discovered that they had also attacked a government ministry related to the COVID-19 response. Each attack used different tactics, techniques and procedures (TTPs), but we found connections between the two cases and evidence linking those attacks to the notorious Lazarus group.
In this blog, we describe two separate incidents. The first one is an attack against a government health ministry: on October 27, 2020, two Windows servers were compromised at the ministry. We were unable to identify the infection vector, but the threat actor was able to install a sophisticated malware cluster on these servers. We already knew this malware as ‘wAgent’. It’s main component only works in memory and it fetches additional payloads from a remote server.
The second incident involves a pharmaceutical company. According to our telemetry, this company was breached on September 25, 2020. This time, the Lazarus group deployed the Bookcode malware, previously reported by ESET, in a supply chain attack through a South Korean software company. We were also able to observe post-exploitation commands run by Lazarus on this target.
Both attacks leveraged different malware clusters that do not overlap much. However, we can confirm that both of them are connected to the Lazarus group, and we also found overlaps in the post-exploitation process.
wAgent malware cluster
The malware cluster has a complex infection scheme:
Unfortunately, we were unable to obtain the starter module used in this attack. The module seems to have a trivial role: executing wAgent with specific parameters. One of the wAgent samples we collected has fake metadata in order to make it look like the legitimate compression utility XZ Utils.
According to our telemetry, this malware was directly executed on the victim machine from the command line shell by calling the Thumbs export function with the parameter:
c:\windows\system32\rundll32.exe C:\Programdata\Oracle\javac.dat, Thumbs 8IZ-VU7-109-S2MY
The 16-byte string parameter is used as an AES key to decrypt an embedded payload – a Windows DLL. When the embedded payload is loaded in memory, it decrypts configuration information using the given decryption key. The configuration contains various information including C2 server addresses, as well as a file path used later on. Although the configuration specifies two C2 servers, it contains the same C2 server twice. Interestingly, the configuration has several URL paths separated with an ‘@’ symbol. The malware attempts to connect to each URL path randomly.
When the malware is executed for the first time, it generates identifiers to distinguish each victim using the hash of a random value. It also generates a 16-byte random value and reverses its order. Next, the malware concatenates this random 16-byte value and the hash using ‘@’ as a delimiter. i.e.:
82UKx3vnjQ791PL2@29312663988969
POST parameter names (shown below) are decrypted at runtime and chosen randomly at each C2 connection. We’ve previously seen and reported to our Threat Intelligence Report customers that a very similar technique was used when the Lazarus group attacked cryptocurrency businesses with an evolved downloader malware. It is worth noting that Tistory is a South Korean blog posting service, which means the malware author is familiar with the South Korean internet environment:
plugin course property tistory tag vacon slide parent manual themes product notice portal articles category doc entry isbn tb idx tab maincode level bbs method thesis content blogdata tname
...
Continue Reading
Lazarus covets COVID-19-related intelligence
![[Image: abstract_blue_medicine-1200x600.jpg]](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/12/23092029/abstract_blue_medicine-1200x600.jpg)
![[Image: Lazarus_Covet_02.png]](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/12/21140347/Lazarus_Covet_02.png)
![[-]](https://www.geeks.fyi/images/collapse.png "[-]")
