Skip to content

G0032 Lazarus Group

Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.65 The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. 2

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups, such as Andariel, APT37, APT38, and Kimsuky.

Item Value
ID G0032
Associated Names Labyrinth Chollima, HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY
Version 3.2
Created 31 May 2017
Last Modified 30 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Labyrinth Chollima 1
HIDDEN COBRA The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.67
Guardians of Peace 6
ZINC 4
NICKEL ACADEMY 3

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.002 Create Process with Token Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserA under that user’s context.218
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account During Operation Dream Job, Lazarus Group queried compromised victim’s active directory servers to obtain the list of employees including administrator accounts.30
enterprise T1098 Account Manipulation Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account.29
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Lazarus Group has acquired domains related to their campaigns to act as distribution points and C2 channels.1722

During Operation Dream Job, Lazarus Group registered a domain name identical to that of a compromised company as part of their BEC effort.30
enterprise T1583.004 Server During Operation Dream Job, Lazarus Group acquired servers to host their malicious tools.30
enterprise T1583.006 Web Services Lazarus Group has hosted malicious downloads on Github.17

During Operation Dream Job, Lazarus Group used file hosting services like DropBox and OneDrive.31
enterprise T1557 Adversary-in-the-Middle -
enterprise T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay Lazarus Group executed Responder using the command [Responder file path] -i [IP address] -rPv on a compromised host to harvest credentials and move laterally.16
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Lazarus Group has conducted C2 over HTTP and HTTPS.102112151420

During Operation Dream Job, Lazarus Group uses HTTP and HTTPS to contact actor-controlled C2 servers.23

enterprise T1010 Application Window Discovery Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground.21318
enterprise T1560 Archive Collected Data Lazarus Group has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2. 13810
enterprise T1560.001 Archive via Utility During Operation Dream Job, Lazarus Group archived victim’s data into a RAR file.30
enterprise T1560.002 Archive via Library Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.810
enterprise T1560.003 Archive via Custom Method A Lazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.213810
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Lazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.281015

During Operation Dream Job, Lazarus Group placed LNK files into the victims’ startup folder for persistence.23

enterprise T1547.009 Shortcut Modification Lazarus Group malware has maintained persistence on a system by creating a LNK shortcut in the user’s Startup folder.10
enterprise T1110 Brute Force During Operation Dream Job, Lazarus Group performed brute force attacks against administrator accounts.30
enterprise T1110.003 Password Spraying Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.28
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Lazarus Group has used PowerShell to execute commands and malicious code.22

During Operation Dream Job, Lazarus Group used PowerShell commands to explore the environment of compromised victims.30
enterprise T1059.003 Windows Command Shell Lazarus Group malware uses cmd.exe to execute commands on a compromised host.29101914 A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.11

During Operation Dream Job, Lazarus Group launched malicious DLL files, created new folders, and renamed folders with the use of the Windows command shell.3023
enterprise T1059.005 Visual Basic Lazarus Group has used VBA and embedded macros in Word documents to execute malicious code.1514

During Operation Dream Job, Lazarus Group executed a VBA written malicious macro after victims download malicious DOTM files; Lazarus Group also used Visual Basic macro code to extract a double Base64 encoded DLL implant.3123
enterprise T1584 Compromise Infrastructure -
enterprise T1584.001 Domains For Operation Dream Job, Lazarus Group compromised domains in Italy and other countries for their C2 infrastructure.2332
enterprise T1584.004 Server Lazarus Group has compromised servers to stage malicious tools.16

For Operation Dream Job, Lazarus Group compromised servers to host their malicious tools.313023
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Several Lazarus Group malware families install themselves as new services.29
enterprise T1485 Data Destruction Lazarus Group has used a custom secure delete function to overwrite file contents with data from heap memory.2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding A Lazarus Group malware sample encodes data with base64.10
enterprise T1005 Data from Local System Lazarus Group has collected data and files from compromised networks.213816

During Operation Dream Job, Lazarus Group used malicious Trojans and DLL files to exfiltrate data from an infected host.3123
enterprise T1001 Data Obfuscation -
enterprise T1001.003 Protocol Impersonation Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, potentially evading SSL traffic inspection/decryption.291011
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.213
enterprise T1622 Debugger Evasion During Operation Dream Job, Lazarus Group used tools that used the IsDebuggerPresent call to detect debuggers.31
enterprise T1491 Defacement -
enterprise T1491.001 Internal Defacement Lazarus Group replaced the background wallpaper of systems with a threatening image after rendering the system unbootable with a Disk Structure Wipe.9
enterprise T1140 Deobfuscate/Decode Files or Information Lazarus Group has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime.1514
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware Lazarus Group has developed custom malware for use in their operations.1722

For Operation Dream Job, Lazarus Group developed custom tools such as Sumarta, DBLL Dropper, Torisma, and DRATzarus for their operations.31302332
enterprise T1587.002 Code Signing Certificates During Operation Dream Job, Lazarus Group digitally signed their malware and the dbxcli utility.30
enterprise T1561 Disk Wipe -
enterprise T1561.001 Disk Content Wipe Lazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.9
enterprise T1561.002 Disk Structure Wipe Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim’s machine and has possessed MBR wiper malware since at least 2009.192
enterprise T1189 Drive-by Compromise Lazarus Group delivered RATANKBA and other malicious code to victims via a compromised legitimate website.2522
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads. Lazarus Group has also used AES to encrypt C2 traffic.291011

During Operation Dream Job, Lazarus Group used an AES key to communicate with their C2 server.23
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts Lazarus Group has created new Twitter accounts to conduct social engineering against potential victims.22

For Operation Dream Job, Lazarus Group created fake LinkedIn accounts for their targeting efforts.3130
enterprise T1585.002 Email Accounts Lazarus Group has created new email accounts for spearphishing operations.16

During Operation Dream Job, Lazarus Group created fake email accounts to correspond with fake LinkedIn personas; Lazarus Group also established email accounts to match those of the victim as part of their BEC attempt.30
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Lazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.28
enterprise T1041 Exfiltration Over C2 Channel Lazarus Group has exfiltrated data and files over a C2 channel through its various tools and malware.21310

During Operation Dream Job, Lazarus Group exfiltrated data from a compromised host to actor-controlled C2 servers.31
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage During Operation Dream Job, Lazarus Group used a custom build of open-source command-line dbxcli to exfiltrate stolen data to Dropbox.3031
enterprise T1203 Exploitation for Client Execution Lazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.24
enterprise T1008 Fallback Channels Lazarus Group malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again.28
enterprise T1083 File and Directory Discovery Lazarus Group malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.2111514

During Operation Dream Job, Lazarus Group conducted word searches within documents on a compromised host in search of security and financial matters.31
enterprise T1589 Gather Victim Identity Information For Operation Dream Job, Lazarus Group conducted extensive reconnaissance research on potential targets.31
enterprise T1589.002 Email Addresses Lazarus Group collected email addresses belonging to various departments of a targeted organization which were used in follow-on phishing campaigns.16
enterprise T1591 Gather Victim Org Information Lazarus Group has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and/or individuals.16

For Operation Dream Job, Lazarus Group gathered victim organization information to identify specific targets.31
enterprise T1591.004 Identify Roles During Operation Dream Job, Lazarus Group targeted specific individuals within an organization with tailored job vacancy announcements.3130
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Lazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.10211215
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Lazarus Group has replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL to download and execute a payload.20
enterprise T1574.013 KernelCallbackTable Lazarus Group has abused the KernelCallbackTable to hijack process control flow and execute shellcode.1514
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.2131819.
enterprise T1562.004 Disable or Modify System Firewall Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. 21318
enterprise T1070 Indicator Removal Lazarus Group has restored malicious KernelCallbackTable code to its original state after the process execution flow has been hijacked.15
enterprise T1070.003 Clear Command History Lazarus Group has routinely deleted log files on a compromised router, including automatic log deletion through the use of the logrotate utility.16
enterprise T1070.004 File Deletion Lazarus Group malware has deleted files in various ways, including “suicide scripts” to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim.211

During Operation Dream Job, Lazarus Group removed all previously delivered files from a compromised computer.30
enterprise T1070.006 Timestomp Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.291311
enterprise T1202 Indirect Command Execution Lazarus Group persistence mechanisms have used forfiles.exe to execute .htm files.14
enterprise T1105 Ingress Tool Transfer Lazarus Group has downloaded files, malware, and tools from its C2 onto a compromised host.291321121622151420

During Operation Dream Job, Lazarus Group downloaded multistage malware and tools onto a compromised host.313023
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Lazarus Group malware KiloAlfa contains keylogging functionality.218
enterprise T1534 Internal Spearphishing During Operation Dream Job, Lazarus Group conducted internal spearphishing from within a compromised organization.31
enterprise T1036 Masquerading -
enterprise T1036.003 Rename System Utilities Lazarus Group has renamed system utilities such as wscript.exe and mshta.exe.14
enterprise T1036.004 Masquerade Task or Service Lazarus Group has used a scheduled task named SRCheck to mask the execution of a malicious .dll.20
enterprise T1036.005 Match Legitimate Name or Location Lazarus Group has renamed malicious code to disguise it as Microsoft’s narrator and other legitimate files.2614
enterprise T1036.008 Masquerade File Type During Operation Dream Job, Lazarus Group disguised malicious template files as JPEG files to avoid detection.2330
enterprise T1104 Multi-Stage Channels Lazarus Group has used multi-stage malware components that inject later stages into separate processes.15
enterprise T1106 Native API Lazarus Group has used the Windows API ObtainUserAgentString to obtain the User-Agent from a compromised host to connect to a C2 server.23 Lazarus Group has also used various, often lesser known, functions to perform various types of Discovery and Process Injection.1514

During Operation Dream Job, Lazarus Group used Windows API ObtainUserAgentString to obtain the victim’s User-Agent and used the value to connect to their C2 server.23
enterprise T1046 Network Service Discovery Lazarus Group has used nmap from a router VM to scan ports on systems within the restricted segment of an enterprise network.16
enterprise T1571 Non-Standard Port Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.28
enterprise T1027 Obfuscated Files or Information Lazarus Group has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for Native API function names.213810121514

During Operation Dream Job, Lazarus Group encrypted malware such as DRATzarus with XOR and DLL files with base64.31302332
enterprise T1027.002 Software Packing During Operation Dream Job, Lazarus Group packed malicious .db files with Themida to evade detection.312332
enterprise T1027.007 Dynamic API Resolution Lazarus Group has used a custom hashing method to resolve APIs used in shellcode.15
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Lazarus Group has obtained a variety of tools for their operations, including Responder and PuTTy PSCP.16

For Operation Dream Job, Lazarus Group obtained tools such as Wake-On-Lan, Responder, ChromePass, and dbxcli.3130
enterprise T1588.003 Code Signing Certificates During Operation Dream Job, Lazarus Group used code signing certificates issued by Sectigo RSA for some of its malware and tools.30
enterprise T1588.004 Digital Certificates Lazarus Group has obtained SSL certificates for their C2 domains.17
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Lazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents.24161514

During Operation Dream Job, Lazarus Group sent emails with malicious attachments to gain unauthorized access to targets’ computers.3123
enterprise T1566.002 Spearphishing Link Lazarus Group has sent malicious links to victims via email.16

During Operation Dream Job, Lazarus Group sent malicious OneDrive links with fictitious job offer advertisements via email.3130
enterprise T1566.003 Spearphishing via Service Lazarus Group has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages.22

During Operation Dream Job, Lazarus Group sent victims spearphishing messages via LinkedIn concerning fictitious jobs.3130
enterprise T1542 Pre-OS Boot -
enterprise T1542.003 Bootkit Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.29
enterprise T1057 Process Discovery Several Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by Lazarus Group also gathers process times.21310111215
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection A Lazarus Group malware sample performs reflective DLL injection.1015
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy Lazarus Group has used a compromised router to serve as a proxy between a victim network’s corporate and restricted segments.16
enterprise T1090.002 External Proxy Lazarus Group has used multiple proxies to obfuscate network traffic from victims.2712
enterprise T1012 Query Registry Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt.21310
enterprise T1620 Reflective Code Loading Lazarus Group has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via KernelCallbackTable hijacking. Lazarus Group has also used shellcode within macros to decrypt and manually map DLLs into memory at runtime.1514
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Lazarus Group malware SierraCharlie uses RDP for propagation.28
enterprise T1021.002 SMB/Windows Admin Shares Lazarus Group malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement.28
enterprise T1021.004 SSH Lazarus Group used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised network.16
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Lazarus Group has used schtasks for persistence including through the periodic execution of a remote XSL script or a dropped VBS payload.1420

During Operation Dream Job, Lazarus Group created scheduled tasks to set a periodic execution of a remote XSL script.30
enterprise T1593 Search Open Websites/Domains -
enterprise T1593.001 Social Media For Operation Dream Job, Lazarus Group used LinkedIn to identify and target employees within a chosen organization.30
enterprise T1505 Server Software Component -
enterprise T1505.004 IIS Components During Operation Dream Job, Lazarus Group targeted Windows servers running Internet Information Systems (IIS) to install C2 components.23
enterprise T1489 Service Stop Lazarus Group has stopped the MSExchangeIS service to render Exchange contents inaccessible to users.9
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware For Operation Dream Job, Lazarus Group used compromised servers to host malware.31302332
enterprise T1608.002 Upload Tool For Operation Dream Job, Lazarus Group used multiple servers to host malicious tools.30
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Lazarus Group has digitally signed malware and utilities to evade detection.15

During Operation Dream Job, Lazarus Group digitally signed their own malware to evade detection.30
enterprise T1218 System Binary Proxy Execution Lazarus Group lnk files used for persistence have abused the Windows Update Client (wuauclt.exe) to execute a malicious DLL.1514
enterprise T1218.005 Mshta Lazarus Group has used mshta.exe to execute HTML pages downloaded by initial access documents.1514
enterprise T1218.010 Regsvr32 During Operation Dream Job, Lazarus Group used regsvr32 to execute malware.30
enterprise T1218.011 Rundll32 Lazarus Group has used rundll32 to execute malicious payloads on a compromised host.20

During Operation Dream Job, Lazarus Group executed malware with C:\\windows\system32\rundll32.exe "C:\ProgramData\ThumbNail\thumbnail.db", CtrlPanel S-6-81-3811-75432205-060098-6872 0 0 905.313023
enterprise T1082 System Information Discovery Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server.2913101115
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery During Operation Dream Job, Lazarus Group deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.31
enterprise T1016 System Network Configuration Discovery Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.213
enterprise T1049 System Network Connections Discovery Lazarus Group has used net use to identify and establish a network connection with a remote host.16
enterprise T1033 System Owner/User Discovery Various Lazarus Group malware enumerates logged-on users.29138102115
enterprise T1529 System Shutdown/Reboot Lazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems.19
enterprise T1124 System Time Discovery A Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server.11
enterprise T1221 Template Injection During Operation Dream Job, Lazarus Group used DOCX files to retrieve a malicious document template/DOTM file.3123
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link During Operation Dream Job, Lazarus Group lured users into executing a malicious link to disclose private account information or provide initial access.3130
enterprise T1204.002 Malicious File Lazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.24161514

During Operation Dream Job, Lazarus Group lured victims into executing malicious documents that contained “dream job” descriptions from defense, aerospace, and other sectors.3123
enterprise T1078 Valid Accounts Lazarus Group has used administrator credentials to gain access to restricted network segments.16
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks During Operation Dream Job, Lazarus Group used tools that conducted a variety of system checks to detect sandboxes or VMware services.31
enterprise T1497.003 Time Based Evasion During Operation Dream Job, Lazarus Group used tools that collected GetTickCount and GetSystemTimeAsFileTime data to detect sandbox or VMware services.31
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication Lazarus Group has used GitHub as C2, pulling hosted image payloads then committing command execution output to files in specific directories.15
enterprise T1047 Windows Management Instrumentation Lazarus Group has used WMIC for discovery as well as to execute payloads for persistence and lateral movement.281614

During Operation Dream Job, Lazarus Group used WMIC to executed a remote XSL script.30
enterprise T1220 XSL Script Processing During Operation Dream Job, Lazarus Group used a remote XSL script to download a Base64-encoded DLL custom downloader.30
ics T0865 Spearphishing Attachment Lazarus Group has been observed targeting organizations using spearphishing documents with embedded malicious payloads. 29 Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company. 28

Software

ID Name References Techniques
S0584 AppleJeus 17 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Unix Shell:Command and Scripting Interpreter Launch Daemon:Create or Modify System Process Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Installer Packages:Event Triggered Execution Exfiltration Over C2 Channel Hidden Files and Directories:Hide Artifacts File Deletion:Indicator Removal Obfuscated Files or Information Spearphishing Link:Phishing Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls Msiexec:System Binary Proxy Execution System Information Discovery Launchctl:System Services Malicious Link:User Execution Malicious File:User Execution Time Based Evasion:Virtualization/Sandbox Evasion
S0347 AuditCred 36 Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Obfuscated Files or Information Process Injection Proxy
S0245 BADCALL 48 Protocol Impersonation:Data Obfuscation Symmetric Cryptography:Encrypted Channel Disable or Modify System Firewall:Impair Defenses Modify Registry Non-Standard Port Proxy System Information Discovery System Network Configuration Discovery
S0239 Bankshot 24 Create Process with Token:Access Token Manipulation Local Account:Account Discovery Domain Account:Account Discovery Web Protocols:Application Layer Protocol Automated Collection Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Non-Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel Exploitation for Client Execution File and Directory Discovery File Deletion:Indicator Removal Timestomp:Indicator Removal Indicator Removal Ingress Tool Transfer Modify Registry Native API Non-Standard Port Process Discovery Query Registry System Information Discovery
S0520 BLINDINGCAN 34 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery File Deletion:Indicator Removal Timestomp:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Obfuscated Files or Information Software Packing:Obfuscated Files or Information Spearphishing Attachment:Phishing Shared Modules Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery Malicious File:User Execution
S0498 Cryptoistic 21 Data from Local System Encrypted Channel File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Non-Application Layer Protocol System Owner/User Discovery
S0497 Dacls 2112 Web Protocols:Application Layer Protocol Launch Daemon:Create or Modify System Process Launch Agent:Create or Modify System Process File and Directory Discovery Hidden Files and Directories:Hide Artifacts Ingress Tool Transfer Masquerading Obfuscated Files or Information Process Discovery
S0694 DRATzarus During Operation Dream Job, Lazarus Group used DRATzarus to deploy open source software and partly commodity software such as Responder, Wake-On-Lan, and ChromePass to target infected hosts.31 Web Protocols:Application Layer Protocol Data from Local System Debugger Evasion Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Native API Software Packing:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Remote System Discovery System Owner/User Discovery System Time Discovery Time Based Evasion:Virtualization/Sandbox Evasion
S0567 Dtrack 37 Archive Collected Data Boot or Logon Autostart Execution Browser Information Discovery Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information File and Directory Discovery Hijack Execution Flow File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Match Legitimate Name or Location:Masquerading Embedded Payloads:Obfuscated Files or Information Process Discovery Process Hollowing:Process Injection Query Registry Shared Modules System Information Discovery System Network Configuration Discovery System Network Connections Discovery Valid Accounts
S0593 ECCENTRICBANDWAGON 46 Windows Command Shell:Command and Scripting Interpreter Local Data Staging:Data Staged File Deletion:Indicator Removal Keylogging:Input Capture Obfuscated Files or Information Screen Capture
S0181 FALLCHILL 27 Windows Service:Create or Modify System Process Protocol Impersonation:Data Obfuscation Symmetric Cryptography:Encrypted Channel File and Directory Discovery Timestomp:Indicator Removal File Deletion:Indicator Removal System Information Discovery System Network Configuration Discovery
S0246 HARDRAIN 35 Windows Command Shell:Command and Scripting Interpreter Protocol Impersonation:Data Obfuscation Disable or Modify System Firewall:Impair Defenses Non-Standard Port Proxy
S0376 HOPLIGHT 7 Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Device Driver Discovery Exfiltration Over C2 Channel Fallback Channels File and Directory Discovery Disable or Modify System Firewall:Impair Defenses Ingress Tool Transfer Modify Registry Non-Standard Port Security Account Manager:OS Credential Dumping Process Injection Proxy Query Registry System Information Discovery Service Execution:System Services System Time Discovery Pass the Hash:Use Alternate Authentication Material Windows Management Instrumentation
S0431 HotCroissant 47 Application Window Discovery Windows Command Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Hidden Window:Hide Artifacts File Deletion:Indicator Removal Ingress Tool Transfer Native API Software Packing:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Scheduled Task:Scheduled Task/Job Screen Capture Service Stop Software Discovery System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Service Discovery
S0271 KEYMARBLE 45 Windows Command Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Modify Registry Process Discovery Screen Capture System Information Discovery System Network Configuration Discovery
S0108 netsh 13 Netsh Helper DLL:Event Triggered Execution Disable or Modify System Firewall:Impair Defenses Proxy Security Software Discovery:Software Discovery
S0238 Proxysvc 11 Web Protocols:Application Layer Protocol Automated Collection Windows Command Shell:Command and Scripting Interpreter Data Destruction Data from Local System Exfiltration Over C2 Channel File and Directory Discovery File Deletion:Indicator Removal Process Discovery Query Registry System Information Discovery System Network Configuration Discovery Service Execution:System Services System Time Discovery
S0241 RATANKBA 38 Local Account:Account Discovery Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Ingress Tool Transfer Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Remote System Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery Windows Management Instrumentation
S0364 RawDisk 29 Data Destruction Disk Content Wipe:Disk Wipe Disk Structure Wipe:Disk Wipe
S0174 Responder 31 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Network Sniffing
S0103 route 16 System Network Configuration Discovery
S0586 TAINTEDSCRIBE 26 Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Protocol Impersonation:Data Obfuscation Symmetric Cryptography:Encrypted Channel Fallback Channels File and Directory Discovery Timestomp:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Binary Padding:Obfuscated Files or Information Process Discovery Remote System Discovery System Information Discovery System Time Discovery
S0665 ThreatNeedle 16 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Service:Create or Modify System Process Data from Local System Deobfuscate/Decode Files or Information File and Directory Discovery Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Modify Registry Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Spearphishing Attachment:Phishing System Information Discovery Malicious File:User Execution
S0678 Torisma During Operation Dream Job, Lazarus Group used Torisma to actively monitor for new drives and remote desktop connections on an infected system.2332 Web Protocols:Application Layer Protocol Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Execution Guardrails Exfiltration Over C2 Channel Native API Software Packing:Obfuscated Files or Information Obfuscated Files or Information System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Time Discovery
S0263 TYPEFRAME 39 Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information File and Directory Discovery Disable or Modify System Firewall:Impair Defenses File Deletion:Indicator Removal Ingress Tool Transfer Modify Registry Non-Standard Port Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Proxy System Information Discovery Malicious File:User Execution
S0180 Volgmer 40 Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Masquerade Task or Service:Masquerading Modify Registry Native API Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Process Discovery Query Registry System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Service Discovery
S0366 WannaCry 41424344 Windows Service:Create or Modify System Process Data Encrypted for Impact Asymmetric Cryptography:Encrypted Channel Exploitation of Remote Services Exploitation of Remote Services File and Directory Discovery Windows File and Directory Permissions Modification:File and Directory Permissions Modification Hidden Files and Directories:Hide Artifacts Inhibit System Recovery Lateral Tool Transfer Lateral Tool Transfer Peripheral Device Discovery Multi-hop Proxy:Proxy RDP Hijacking:Remote Service Session Hijacking Remote System Discovery Service Stop System Network Configuration Discovery Windows Management Instrumentation

References

  1. CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022. 

  2. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  3. Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017. 

  4. Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017. 

  5. US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021. 

  6. US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017. 

  7. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. 

  8. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016. 

  9. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. 

  10. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. 

  11. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. 

  12. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020. 

  13. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016. 

  14. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. 

  15. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. 

  16. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. 

  17. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. 

  18. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016. 

  19. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018. 

  20. Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022. 

  21. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020. 

  22. Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021. 

  23. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. 

  24. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. 

  25. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018. 

  26. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. 

  27. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017. 

  28. Eduard Kovacs 2018, March 1 Five Threat Groups Target Industrial Systems: Dragos Retrieved. 2020/01/03  

  29. Novetta Threat Research Group 2016, February 24 Operation Blockbuster: Unraveling the Long Thread of the Sony Attack Retrieved. 2016/02/25  

  30. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. 

  31. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  32. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. 

  33. Lakshmanan, R. (2022, August 17). North Korea Hackers Spotted Targeting Job Seekers with macOS Malware. Retrieved April 10, 2023. 

  34. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  35. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018. 

  36. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018. 

  37. Kaspersky Global Research and Analysis Team. (2019, September 23). DTrack: previously unknown spy-tool by Lazarus hits financial institutions and research centers. Retrieved January 20, 2021. 

  38. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018. 

  39. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. 

  40. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017. 

  41. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. 

  42. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019. 

  43. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. 

  44. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019. 

  45. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018. 

  46. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021. 

  47. US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020. 

  48. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.