www.trendmicro.com
Open in
urlscan Pro
23.75.246.11
Public Scan
URL:
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations
Submission: On April 19 via api from US — Scanned from DE
Submission: On April 19 via api from US — Scanned from DE
Form analysis
2 forms found in the DOM<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
</tr>
</tbody>
</table>
</div>
</form>
<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form-mobile">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
<td class="gsc-search-close collapsed" style="width:1%;" data-target="#search-mobile-wrapper" data-toggle="collapse">
<span class="icon-close"></span>
</td>
</tr>
</tbody>
</table>
</div>
</form>
Text Content
dismiss 0 Alerts undefined * No new notifications at this time. Download * Scan Engines * All Pattern Files * All Downloads * Subscribe to Download Center RSS Buy * Home Office Online Store * Renew Online * Free Tools * Find a Partner * Contact Sales * Locations Worldwide * 1-888-762-8736 (M-F 8am - 5pm CST) * Small Business * Buy Online * Renew Online Region * The Americas * United States * Brasil * Canada * México * Asia Pacific * Australia * Hong Kong (English) * 香港 (中文) (Hong Kong) * भारत गणराज्य (India) * Indonesia * 日本 (Japan) * 대한민국 (South Korea) * Malaysia * New Zealand * Philippines * Singapore * 台灣 (Taiwan) * ประเทศไทย (Thailand) * Việt Nam * Europe, Middle East & Africa * België (Belgium) * Česká Republika * Danmark * Deutschland, Österreich Schweiz * España * France * Ireland * Italia * Middle East and North Africa * Nederland * Norge (Norway) * Polska (Poland) * Россия (Russia) * South Africa * Suomi (Finland) * Sverige (Sweden) * Türkiye (Turkey) * United Kingdom Log In * My Support * Log In to Support * Partner Portal * Home Solutions * My Account * Lost Device Portal * Trend Micro Vault * Password Manager * Customer Licensing Portal * Online Case Tracking * Premium Support * Worry-Free Business Security Services * Remote Manager * Cloud One * Referral Affiliate * Referral Affiliate Free trials Contact Us * Contact Sales * Locations * Support * Find a Partner * Learn of upcoming events * Social Media Networks * Facebook * Twitter * Linkedin * Youtube * Instagram * 1-888-762-8736 (M-F 8-5 CST) Business For Home Products Products Hybrid Cloud Security Workload Security Conformity Container Security File Storage Security Application Security Network Security Open Source Security Network Security Intrusion Prevention Advanced Threat Protection Industrial Network Security Mobile Network Security User Protection Endpoint Security Industrial Endpoint Email Security Web Security Endpoint & Gateway Suites Detection & Response XDR Managed XDR Service Endpoint Detection & Response Powered by Global Threat Intelligence Connected Threat Defense All Products & Trials All Solutions Small & Midsize Business Security Solutions Solutions For Cloud Cloud Migration Cloud-Native App Development Cloud Operational Excellence Data Center Security SaaS Applications Internet of Things (IoT) Smart Factory Connected Car Connected Consumer 5G Security for Enterprises Risk Management Ransomware End-of-Support Systems Compliance Detection and Response Industries Healthcare Manufacturing Federal Why Trend Micro Why Trend Micro The Trend Micro Difference Customer Successes Strategic Alliances Industry Leadership Research Research Research About Our Research Research and Analysis Research, News and Perspectives Security Reports Security News Zero Day Initiative (ZDI) Blog Research by Topic Vulnerabilities Annual Predictions The Deep Web Internet of Things (IoT) Resources DevOps Resource Center CISO Resource Center What is? Threat Encyclopedia Cloud Health Assessment Cyber Risk Assessment Enterprise Guides Glossary of Terms Support Support Business Support Log In to Support Technical Support Virus & Threat Help Renewals & Registration Education & Certification Contact Support Downloads Free Cleanup Tools Find a Support Partner For Popular Products Deep Security Apex One Worry-Free Worry-Free Renewals Partners Partners Channel Partners Channel Partner Overview Managed Service Provider Cloud Service Provider Professional Services Resellers Referral Partners System Integrators Alliance Partners Alliance Overview Technology Alliance Partners Our Alliance Partners Tools and Resources Find a Partner Education and Certification Partner Successes Distributors Partner Login Company Company Overview Leadership Customer Success Stories Strategic Alliances Industry Accolades Newsroom Webinars Events Security Experts Careers History Corporate Social Responsibility Diversity, Equity & Inclusion Trust Center Internet Safety and Cybersecurity Education Investors Legal × 0 Alerts undefined * No new notifications at this time. Download * Scan Engines * All Pattern Files * All Downloads * Subscribe to Download Center RSS Buy * Home Office Online Store * Renew Online * Free Tools * Find a Partner * Contact Sales * Locations Worldwide * 1-888-762-8736 (M-F 8am - 5pm CST) * Small Business * Buy Online * Renew Online Region * The Americas * United States * Brasil * Canada * México * Asia Pacific * Australia * Hong Kong (English) * 香港 (中文) (Hong Kong) * भारत गणराज्य (India) * Indonesia * 日本 (Japan) * 대한민국 (South Korea) * Malaysia * New Zealand * Philippines * Singapore * 台灣 (Taiwan) * ประเทศไทย (Thailand) * Việt Nam * Europe, Middle East & Africa * België (Belgium) * Česká Republika * Danmark * Deutschland, Österreich Schweiz * España * France * Ireland * Italia * Middle East and North Africa * Nederland * Norge (Norway) * Polska (Poland) * Россия (Russia) * South Africa * Suomi (Finland) * Sverige (Sweden) * Türkiye (Turkey) * United Kingdom Log In * My Support * Log In to Support * Partner Portal * Home Solutions * My Account * Lost Device Portal * Trend Micro Vault * Password Manager * Customer Licensing Portal * Online Case Tracking * Premium Support * Worry-Free Business Security Services * Remote Manager * Cloud One * Referral Affiliate * Referral Affiliate Contact Us * Contact Sales * Locations * Support * Find a Partner * Learn of upcoming events * Social Media Networks * Facebook * Twitter * Linkedin * Youtube * Instagram * 1-888-762-8736 (M-F 8-5 CST) * No new notifications at this time. * No new notifications at this time. * Scan Engines * All Pattern Files * All Downloads * Subscribe to Download Center RSS * Home Office Online Store * Renew Online * Free Tools * Find a Partner * Contact Sales * Locations Worldwide * 1-888-762-8736 (M-F 8am - 5pm CST) * Small Business * Buy Online * Renew Online * The Americas * United States * Brasil * Canada * México * Asia Pacific * Australia * Hong Kong (English) * 香港 (中文) (Hong Kong) * भारत गणराज्य (India) * Indonesia * 日本 (Japan) * 대한민국 (South Korea) * Malaysia * New Zealand * Philippines * Singapore * 台灣 (Taiwan) * ประเทศไทย (Thailand) * Việt Nam * Europe, Middle East & Africa * België (Belgium) * Česká Republika * Danmark * Deutschland, Österreich Schweiz * España * France * Ireland * Italia * Middle East and North Africa * Nederland * Norge (Norway) * Polska (Poland) * Россия (Russia) * South Africa * Suomi (Finland) * Sverige (Sweden) * Türkiye (Turkey) * United Kingdom * My Support * Log In to Support * Partner Portal * Home Solutions * My Account * Lost Device Portal * Trend Micro Vault * Password Manager * Customer Licensing Portal * Online Case Tracking * Premium Support * Worry-Free Business Security Services * Remote Manager * Cloud One * Referral Affiliate * Referral Affiliate * Contact Sales * Locations * Support * Find a Partner * Learn of upcoming events * Social Media Networks * Facebook * Twitter * Linkedin * Youtube * Instagram * 1-888-762-8736 (M-F 8-5 CST) undefined * Security News * Cybercrime & Digital Threats * A Look into the Lazarus Group’s Operations A LOOK INTO THE LAZARUS GROUP’S OPERATIONS January 25, 2018 * Email * Facebook * Twitter * Google+ * Linkedin What do the 2014 Sony hack and the 2016 Bangladeshi bank attacks have in common? Aside from being two of the most noteworthy cybercrime incidents of the past few years, these seemingly unrelated attacks are tied together by a common thread: their perpetrator, a cybercrime group called Lazarus. Few cybercrime groups throughout history have had as much disruptive power and lasting impact as the Lazarus Group. Ever since their first attacks, which involved DDoS operations against various organizations across different industries, the group has managed to step up their attacks even further. Two of the group's most notable campaigns include the 2014 Sony hack, which involved sensitive company and personal information, and the 2016 Bangladeshi bankattack that stole millions of dollars from the financial institution. Recently, the group was seen expanding into cryptocurrency attacks, with the use of the RATANKBA malware to target cryptocurrency companies Timeline of Lazarus Group Activities The Lazarus group has had multiple operations over the years, most of which involve either disruption, sabotage, financial theft or espionage. The organization also has “spin-off” groups, which focus on specific kinds of attacks and targets: Bluenoroff: A subgroup focused on attacking foreign financial institutions. They are responsible for a wide array of financial theft incidents, including the aforementioned attack on a Bangladeshi bank. Andariel: A subgroup focused on South Korean organizations and businesses using specifically tailored methods created for maximum effectivity. The chart below shows a timeline of the group’s activities and objectives over the years. Figure 1: Timeline of Lazarus Group activities A quick glance at the timeline of the group’s activities provides clues on the way they operate. Lazarus and its various subgroups will typically perform disruption and misdirection operations as part of their objectives. The group is fairly versatile as well, as they use a wide variety of tools and tactics to perform their attacks. Here are some examples of the group's objectives, tools, and procedures: Notable Tactics of Lazarus Disruption The disruptive operations performed by Lazarus involve DDOS attacks and Wipers with time-based triggers. These include KILLMBR with a hard-coded wiping date, and QDDOS, which has duration date that wipes data ten days after infection. DESTOVER, a backdoor equipped with wiping capabilities, is another example. Misdirection Lazarus also included misdirection on some of their campaigns. Some operations were disguised as hacktivist activities, with groups such as "GOP," "WhoAmI," and "New Romanic Army" claiming responsibility for these alleged hacktivism attacks. They also tried to emulate the modus operandi of hacktivists by defacing web pages and leaking information. Lazarus also plants false flags inside their tools as another misdirection technique. One example is the KLIPOD backdoor, which uses Romanized Russian words for its backdoor commands. While it is possible that Lazarus has members from different countries, the Romanized Russian words do not appear to be written by a native speaker, and arguably used for misdirection. While the objectives of these attacks vary from sabotage to financial gain, Lazarus did put some effort to misdirect attribution efforts towards other entities. Protectors Lazarus makes use of commercially available protectors for its tools. However, during their actual attacks, we have seen them deploy both protected and unprotected versions of their tools on the same target: Anti-Forensics Lazarus also employed some anti-forensics techniques in their operations, which include: * Separation of components: In the later years of Lazarus operations, particularly operations related to the Bluenoroff subgroup, they made use of component separation for their malware * Command line tools: Lazarus, again via Bluenoroff, makes use of command line backdoors and installers. Aside from separating the components, they also require specific arguments for execution. The installer of the Nestegg framework, for example, requires a password as an argument along with other switches. Their backdoor KLIPOD, on the other hand, receives its C2 server as a command line argument. * Disk Wiping: Lazarus previously used wipers for disruption and sabotage. In later years, wiper samples in various forms can still be seen in their operations, although there are no reports of it being used. In particular, DESTOVER samples were seen in some of Bluenoroff operations, but no actual wiping occurred or was reported. In addition, command line forms of wiper tools were also recovered. These wipers may have been designed to wipe traces of the attacker’s activities after the campaign has been completed, to leave as little evidence as possible. * Prefetch, event logs, and MFT record wipers: In an effort to cover their tracks, Lazarus later made use of tools that can delete evidence. These include prefetch deletion, event logs deletion which support various OS versions, and MFT record wiping. Defending against threats posed by Lazarus and other similar attacks: The Lazarus Group—and any kind of targeted attack—is dangerous because of the wide variety of tools at their disposal and the different tactics they use depending on their targets and their objectives. This means that an organization’s security and IT professionals must ensure that every corner of their network infrastructure is secure from different kinds of attacks. This includes ensuring that all machines connected to the network are always updated with the latest security patches to minimize vulnerability exploitation. As information theft is also a prime objective of targeted attacks, protecting data from any possible breach should also be top priority. Organizations can also look into multilayered security solutions such as Trend Micro™ Deep Discovery™, which provides real-time protection against targeted attacks. It can detect targeted attacks anywhere in the network. It features smart XGen™ technology that utilizes a blend of cross-generational techniques for applying the right technology at the right time, resulting in the highest detection rate possible. Trend Micro™ Office Scan™ protects the organization’s users and corporate information by providing multiple layers of XGen™ security protection. It includes a comprehensive list of features such as machine learning, behavioral analysis, exploit protection, advanced ransomware protection, application whitelisting, sandbox integration, and more. HIDE Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V). Image will appear the same size as you see above. Posted in Cybercrime & Digital Threats, Cybercrime RELATED POSTS * Analyzing the Data Distribution Service (DDS) Protocol for Critical Industries * Probing the Activities of Cloud-Based Cryptocurrency-Mining Groups * Navigating New Frontiers: Trend Micro 2021 Annual Cybersecurity Report * Keeping a Close Watch: Trend Micro Specialized Cybersecurity Report for Latin America and the Caribbean * Can You Rely on OTPs? A Study of SMS PVA Services and Their Possible Criminal Uses RECENT POSTS * Analyzing the Data Distribution Service (DDS) Protocol for Critical Industries * Ransomware Spotlight: AvosLocker * Probing the Activities of Cloud-Based Cryptocurrency-Mining Groups * Ransomware Spotlight: Hive * Navigating New Frontiers: Trend Micro 2021 Annual Cybersecurity Report WE RECOMMEND * Internet of Things * Virtualization & Cloud * Ransomware * Securing Home Routers * 5G and Aviation: A Look Into Security and Technology Upgrades Working in Tandem * Reinforcing NAS Security Against Pivoting Threats * Addressing Cloud-Related Threats to the IoT * The Most Common Cloud Misconfigurations That Could Lead to Security Breaches * Minding the Gaps: The State of Vulnerabilities in Cloud Native Applications * Security 101: Protecting Serverless and Container Applications with RASP (Runtime Application Self-Protection) * Ransomware Spotlight: AvosLocker * Ransomware Spotlight: Hive * Navigating New Frontiers: Trend Micro 2021 Annual Cybersecurity Report * Alexa and Google Home Devices can be Abused to Phish and Eavesdrop on Users, Research Finds * Mirai Variant Spotted Using Multiple Exploits, Targets Various Routers * A Look Into the Most Noteworthy Home Network Security Threats of 2017 2021 MIDYEAR CYBERSECURITY REPORT In the first half of this year, cybersecurity strongholds were surrounded by cybercriminals waiting to pounce at the sight of even the slightest crack in defenses to ravage valuable assets. View the report TREND MICRO SECURITY PREDICTIONS FOR 2022: TOWARD A NEW MOMENTUM In 2022, decision-makers will have to contend with threats old and new bearing down on the increasingly interconnected and perimeterless environments that define the postpandemic workplace. View the 2022 Trend Micro Security Predictions * Contact Sales * Locations * Careers * Newsroom * Trust Center * Privacy * Accessibility * Support * Site map * linkedin * twitter * facebook * youtube * instagram * rss Copyright © 2022 Trend Micro Incorporated. All rights reserved.