www.trendmicro.com Open in urlscan Pro
23.75.246.11  Public Scan

URL: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations
Submission: On April 19 via api from US — Scanned from DE

Form analysis 2 forms found in the DOM

<form class="main-menu-search" aria-label="Search Trend Micro">
  <div class="main-menu-search__field-wrapper" id="cludo-search-form">
    <table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
      <tbody>
        <tr>
          <td class="gsc-input">
            <input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
          </td>
        </tr>
      </tbody>
    </table>
  </div>
</form>

<form class="main-menu-search" aria-label="Search Trend Micro">
  <div class="main-menu-search__field-wrapper" id="cludo-search-form-mobile">
    <table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
      <tbody>
        <tr>
          <td class="gsc-input">
            <input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
          </td>
          <td class="gsc-search-close collapsed" style="width:1%;" data-target="#search-mobile-wrapper" data-toggle="collapse">
            <span class="icon-close"></span>
          </td>
        </tr>
      </tbody>
    </table>
  </div>
</form>

Text Content

dismiss
0 Alerts
undefined

 * No new notifications at this time.

Download
 * Scan Engines
 * All Pattern Files
 * All Downloads
 * Subscribe to Download Center RSS

Buy
 * Home Office Online Store
 * Renew Online
 * Free Tools
 * Find a Partner
 * Contact Sales
 * Locations Worldwide
 * 1-888-762-8736 (M-F 8am - 5pm CST)
 * Small Business
 * Buy Online
 * Renew Online

Region
 * The Americas
 * United States
 * Brasil
 * Canada
 * México

 * Asia Pacific
 * Australia
 * Hong Kong (English)
 * 香港 (中文) (Hong Kong)
 * भारत गणराज्य (India)
 * Indonesia
 * 日本 (Japan)
 * 대한민국 (South Korea)

 * Malaysia
 * New Zealand
 * Philippines
 * Singapore
 * 台灣 (Taiwan)
 * ประเทศไทย (Thailand)
 * Việt Nam

 * Europe, Middle East & Africa
 * België (Belgium)
 * Česká Republika
 * Danmark
 * Deutschland, Österreich Schweiz
 * España
 * France
 * Ireland
 * Italia
 * Middle East and North Africa

 * Nederland
 * Norge (Norway)
 * Polska (Poland)
 * Россия (Russia)
 * South Africa
 * Suomi (Finland)
 * Sverige (Sweden)
 * Türkiye (Turkey)
 * United Kingdom

Log In
 * My Support
 * Log In to Support
 * Partner Portal
 * Home Solutions
 * My Account
 * Lost Device Portal
 * Trend Micro Vault
 * Password Manager
 * Customer Licensing Portal
 * Online Case Tracking
 * Premium Support
 * Worry-Free Business Security Services
 * Remote Manager
 * Cloud One
 * Referral Affiliate
 * Referral Affiliate

Free trials
Contact Us
 * Contact Sales
 * Locations
 * Support
 * Find a Partner
 * Learn of upcoming events
 * Social Media Networks
 * Facebook
 * Twitter
 * Linkedin
 * Youtube
 * Instagram
 * 1-888-762-8736 (M-F 8-5 CST)


Business 
For Home 

Products Products
Hybrid Cloud Security
Workload Security
Conformity
Container Security
File Storage Security
Application Security
Network Security
Open Source Security
Network Security
Intrusion Prevention
Advanced Threat Protection
Industrial Network Security
Mobile Network Security
User Protection
Endpoint Security
Industrial Endpoint
Email Security
Web Security
Endpoint & Gateway Suites
Detection & Response
XDR
Managed XDR Service
Endpoint Detection & Response
Powered by
Global Threat Intelligence
Connected Threat Defense
All Products & Trials

All Solutions

Small & Midsize Business Security

Solutions Solutions
For Cloud
Cloud Migration
Cloud-Native App Development
Cloud Operational Excellence
Data Center Security
SaaS Applications
Internet of Things (IoT)
Smart Factory
Connected Car
Connected Consumer
5G Security for Enterprises
Risk Management
Ransomware
End-of-Support Systems
Compliance
Detection and Response
Industries
Healthcare
Manufacturing
Federal
Why Trend Micro Why Trend Micro
The Trend Micro Difference
Customer Successes
Strategic Alliances
Industry Leadership
Research Research
Research
About Our Research
Research and Analysis
Research, News and Perspectives
Security Reports
Security News
Zero Day Initiative (ZDI)
Blog
Research by Topic
Vulnerabilities
Annual Predictions
The Deep Web
Internet of Things (IoT)
Resources
DevOps Resource Center
CISO Resource Center
What is?
Threat Encyclopedia
Cloud Health Assessment
Cyber Risk Assessment
Enterprise Guides
Glossary of Terms
Support Support
Business Support
Log In to Support
Technical Support
Virus & Threat Help
Renewals & Registration
Education & Certification
Contact Support
Downloads
Free Cleanup Tools
Find a Support Partner
For Popular Products
Deep Security
Apex One
Worry-Free
Worry-Free Renewals
Partners Partners
Channel Partners
Channel Partner Overview
Managed Service Provider
Cloud Service Provider
Professional Services
Resellers
Referral Partners
System Integrators
Alliance Partners
Alliance Overview
Technology Alliance Partners
Our Alliance Partners
Tools and Resources
Find a Partner
Education and Certification
Partner Successes
Distributors
Partner Login
Company Company
Overview
Leadership
Customer Success Stories
Strategic Alliances
Industry Accolades
Newsroom
Webinars
Events
Security Experts
Careers
History
Corporate Social Responsibility
Diversity, Equity & Inclusion
Trust Center
Internet Safety and Cybersecurity Education
Investors
Legal



×
0 Alerts
undefined

 * No new notifications at this time.

Download
 * Scan Engines
 * All Pattern Files
 * All Downloads
 * Subscribe to Download Center RSS

Buy
 * Home Office Online Store
 * Renew Online
 * Free Tools
 * Find a Partner
 * Contact Sales
 * Locations Worldwide
 * 1-888-762-8736 (M-F 8am - 5pm CST)
 * Small Business
 * Buy Online
 * Renew Online

Region
 * The Americas
 * United States
 * Brasil
 * Canada
 * México

 * Asia Pacific
 * Australia
 * Hong Kong (English)
 * 香港 (中文) (Hong Kong)
 * भारत गणराज्य (India)
 * Indonesia
 * 日本 (Japan)
 * 대한민국 (South Korea)

 * Malaysia
 * New Zealand
 * Philippines
 * Singapore
 * 台灣 (Taiwan)
 * ประเทศไทย (Thailand)
 * Việt Nam

 * Europe, Middle East & Africa
 * België (Belgium)
 * Česká Republika
 * Danmark
 * Deutschland, Österreich Schweiz
 * España
 * France
 * Ireland
 * Italia
 * Middle East and North Africa

 * Nederland
 * Norge (Norway)
 * Polska (Poland)
 * Россия (Russia)
 * South Africa
 * Suomi (Finland)
 * Sverige (Sweden)
 * Türkiye (Turkey)
 * United Kingdom

Log In
 * My Support
 * Log In to Support
 * Partner Portal
 * Home Solutions
 * My Account
 * Lost Device Portal
 * Trend Micro Vault
 * Password Manager
 * Customer Licensing Portal
 * Online Case Tracking
 * Premium Support
 * Worry-Free Business Security Services
 * Remote Manager
 * Cloud One
 * Referral Affiliate
 * Referral Affiliate

Contact Us
 * Contact Sales
 * Locations
 * Support
 * Find a Partner
 * Learn of upcoming events
 * Social Media Networks
 * Facebook
 * Twitter
 * Linkedin
 * Youtube
 * Instagram
 * 1-888-762-8736 (M-F 8-5 CST)


 * No new notifications at this time.
 * No new notifications at this time.

 * Scan Engines
 * All Pattern Files
 * All Downloads
 * Subscribe to Download Center RSS

 * Home Office Online Store
 * Renew Online
 * Free Tools
 * Find a Partner
 * Contact Sales
 * Locations Worldwide
 * 1-888-762-8736 (M-F 8am - 5pm CST)
 * Small Business
 * Buy Online
 * Renew Online

 * The Americas
 * United States
 * Brasil
 * Canada
 * México

 * Asia Pacific
 * Australia
 * Hong Kong (English)
 * 香港 (中文) (Hong Kong)
 * भारत गणराज्य (India)
 * Indonesia
 * 日本 (Japan)
 * 대한민국 (South Korea)

 * Malaysia
 * New Zealand
 * Philippines
 * Singapore
 * 台灣 (Taiwan)
 * ประเทศไทย (Thailand)
 * Việt Nam

 * Europe, Middle East & Africa
 * België (Belgium)
 * Česká Republika
 * Danmark
 * Deutschland, Österreich Schweiz
 * España
 * France
 * Ireland
 * Italia
 * Middle East and North Africa

 * Nederland
 * Norge (Norway)
 * Polska (Poland)
 * Россия (Russia)
 * South Africa
 * Suomi (Finland)
 * Sverige (Sweden)
 * Türkiye (Turkey)
 * United Kingdom

 * My Support
 * Log In to Support
 * Partner Portal
 * Home Solutions
 * My Account
 * Lost Device Portal
 * Trend Micro Vault
 * Password Manager
 * Customer Licensing Portal
 * Online Case Tracking
 * Premium Support
 * Worry-Free Business Security Services
 * Remote Manager
 * Cloud One
 * Referral Affiliate
 * Referral Affiliate

 * Contact Sales
 * Locations
 * Support
 * Find a Partner
 * Learn of upcoming events
 * Social Media Networks
 * Facebook
 * Twitter
 * Linkedin
 * Youtube
 * Instagram
 * 1-888-762-8736 (M-F 8-5 CST)

undefined



 * Security News
 * Cybercrime & Digital Threats
 * A Look into the Lazarus Group’s Operations


A LOOK INTO THE LAZARUS GROUP’S OPERATIONS

January 25, 2018
 * Email
 * Facebook
 * Twitter
 * Google+
 * Linkedin



What do the 2014 Sony hack and the 2016 Bangladeshi bank attacks have in common?
Aside from being two of the most noteworthy cybercrime incidents of the past few
years, these seemingly unrelated attacks are tied together by a common thread:
their perpetrator, a cybercrime group called Lazarus.

Few cybercrime groups throughout history have had as much disruptive power and
lasting impact as the Lazarus Group. Ever since their first attacks, which
involved DDoS operations against various organizations across different
industries, the group has managed to step up their attacks even further. Two of
the group's most notable campaigns include the 2014 Sony hack, which involved
sensitive company and personal information, and the 2016 Bangladeshi bankattack
that stole millions of dollars from the financial institution. Recently, the
group was seen expanding into cryptocurrency attacks, with the use of the
RATANKBA malware to target cryptocurrency companies

Timeline of Lazarus Group Activities

The Lazarus group has had multiple operations over the years, most of which
involve either disruption, sabotage, financial theft or espionage. The
organization also has “spin-off” groups, which focus on specific kinds of
attacks and targets:

Bluenoroff:

A subgroup focused on attacking foreign financial institutions. They are
responsible for a wide array of financial theft incidents, including the
aforementioned attack on a Bangladeshi bank.

Andariel:

A subgroup focused on South Korean organizations and businesses using
specifically tailored methods created for maximum effectivity.

The chart below shows a timeline of the group’s activities and objectives over
the years.



Figure 1: Timeline of Lazarus Group activities



A quick glance at the timeline of the group’s activities provides clues on the
way they operate. Lazarus and its various subgroups will typically perform
disruption and misdirection operations as part of their objectives. The group is
fairly versatile as well, as they use a wide variety of tools and tactics to
perform their attacks. Here are some examples of the group's objectives, tools,
and procedures:

Notable Tactics of Lazarus

Disruption

The disruptive operations performed by Lazarus involve DDOS attacks and Wipers
with time-based triggers. These include KILLMBR with a hard-coded wiping date,
and QDDOS, which has duration date that wipes data ten days after infection.
DESTOVER, a backdoor equipped with wiping capabilities, is another example.

Misdirection

Lazarus also included misdirection on some of their campaigns. Some operations
were disguised as hacktivist activities, with groups such as "GOP," "WhoAmI,"
and "New Romanic Army" claiming responsibility for these alleged hacktivism
attacks. They also tried to emulate the modus operandi of hacktivists by
defacing web pages and leaking information.

Lazarus also plants false flags inside their tools as another misdirection
technique. One example is the KLIPOD backdoor, which uses Romanized Russian
words for its backdoor commands. While it is possible that Lazarus has members
from different countries, the Romanized Russian words do not appear to be
written by a native speaker, and arguably used for misdirection.

While the objectives of these attacks vary from sabotage to financial gain,
Lazarus did put some effort to misdirect attribution efforts towards other
entities.

Protectors

Lazarus makes use of commercially available protectors for its tools. However,
during their actual attacks, we have seen them deploy both protected and
unprotected versions of their tools on the same target:

Anti-Forensics

Lazarus also employed some anti-forensics techniques in their operations, which
include:  

 * Separation of components: In the later years of Lazarus operations,
   particularly operations related to the Bluenoroff subgroup, they made use of
   component separation for their malware
 * Command line tools: Lazarus, again via Bluenoroff, makes use of command line
   backdoors and installers. Aside from separating the components, they also
   require specific arguments for execution. The installer of the Nestegg
   framework, for example, requires a password as an argument along with other
   switches. Their backdoor KLIPOD, on the other hand, receives its C2 server as
   a command line argument.
 * Disk Wiping: Lazarus previously used wipers for disruption and sabotage. In
   later years, wiper samples in various forms can still be seen in their
   operations, although there are no reports of it being used. In particular,
   DESTOVER samples were seen in some of Bluenoroff operations, but no actual
   wiping occurred or was reported. In addition, command line forms of wiper
   tools were also recovered. These wipers may have been designed to wipe traces
   of the attacker’s activities after the campaign has been completed, to leave
   as little evidence as possible.
 * Prefetch, event logs, and MFT record wipers: In an effort to cover their
   tracks, Lazarus later made use of tools that can delete evidence. These
   include prefetch deletion, event logs deletion which support various OS
   versions, and MFT record wiping.

Defending against threats posed by Lazarus and other similar attacks:

The Lazarus Group—and any kind of targeted attack—is dangerous because of the
wide variety of tools at their disposal and the different tactics they use
depending on their targets and their objectives. This means that an
organization’s security and IT professionals must ensure that every corner of
their network infrastructure is secure from different kinds of attacks. This
includes ensuring that all machines connected to the network are always updated
with the latest security patches to minimize vulnerability exploitation. As
information theft is also a prime objective of targeted attacks, protecting data
from any possible breach should also be top priority.

Organizations can also look into multilayered security solutions such as Trend
Micro™ Deep Discovery™, which provides real-time protection against targeted
attacks. It can detect targeted attacks anywhere in the network. It features
smart XGen™ technology that utilizes a blend of cross-generational techniques
for applying the right technology at the right time, resulting in the highest
detection rate possible. Trend Micro™ Office Scan™ protects the organization’s
users and corporate information by providing multiple layers of XGen™ security
protection. It includes a comprehensive list of features such as machine
learning, behavioral analysis, exploit protection, advanced ransomware
protection, application whitelisting, sandbox integration, and more.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to
copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Cybercrime & Digital Threats, Cybercrime


RELATED POSTS

 * Analyzing the Data Distribution Service (DDS) Protocol for Critical
   Industries
 * Probing the Activities of Cloud-Based Cryptocurrency-Mining Groups
 * Navigating New Frontiers: Trend Micro 2021 Annual Cybersecurity Report
 * Keeping a Close Watch: Trend Micro Specialized Cybersecurity Report for Latin
   America and the Caribbean
 * Can You Rely on OTPs? A Study of SMS PVA Services and Their Possible Criminal
   Uses


RECENT POSTS

 * Analyzing the Data Distribution Service (DDS) Protocol for Critical
   Industries
 * Ransomware Spotlight: AvosLocker
 * Probing the Activities of Cloud-Based Cryptocurrency-Mining Groups
 * Ransomware Spotlight: Hive
 * Navigating New Frontiers: Trend Micro 2021 Annual Cybersecurity Report


WE RECOMMEND

 * Internet of Things
 * Virtualization & Cloud
 * Ransomware
 * Securing Home Routers

 * 5G and Aviation: A Look Into Security and Technology Upgrades Working in
   Tandem
    * Reinforcing NAS Security Against Pivoting Threats
    * Addressing Cloud-Related Threats to the IoT

 * The Most Common Cloud Misconfigurations That Could Lead to Security Breaches
    * Minding the Gaps: The State of Vulnerabilities in Cloud Native
      Applications
    * Security 101: Protecting Serverless and Container Applications with RASP
      (Runtime Application Self-Protection)

 * Ransomware Spotlight: AvosLocker
    * Ransomware Spotlight: Hive
    * Navigating New Frontiers: Trend Micro 2021 Annual Cybersecurity Report

 * Alexa and Google Home Devices can be Abused to Phish and Eavesdrop on Users,
   Research Finds
    * Mirai Variant Spotted Using Multiple Exploits, Targets Various Routers
    * A Look Into the Most Noteworthy Home Network Security Threats of 2017

2021 MIDYEAR CYBERSECURITY REPORT

In the first half of this year, cybersecurity strongholds were surrounded by
cybercriminals waiting to pounce at the sight of even the slightest crack in
defenses to ravage valuable assets.
View the report

TREND MICRO SECURITY PREDICTIONS FOR 2022: TOWARD A NEW MOMENTUM

In 2022, decision-makers will have to contend with threats old and new bearing
down on the increasingly interconnected and perimeterless environments that
define the postpandemic workplace.
View the 2022 Trend Micro Security Predictions

 * Contact Sales
 * Locations
 * Careers
 * Newsroom
 * Trust Center
 * Privacy
 * Accessibility
 * Support
 * Site map

 * linkedin
 * twitter
 * facebook
 * youtube
 * instagram
 * rss

Copyright © 2022 Trend Micro Incorporated. All rights reserved.