Tag Archive for: Lazarus

Defensive Considerations for Lazarus FudModule

/in


In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the Lazarus sample analyzed by X-Force, as well as highlight a strategy of using telemetry stream health as a mode of detecting malware designed to impair defenses through ETW tampering.

One Ring 0 To Rule Them All

The Lazarus FudModule begins with the installation of a Dell driver that is vulnerable to CVE-2021-21551 which allows the malware to elevate privileges to a level where DKOM attacks are possible. This type of attack is referred to as a bring your own vulnerable driver (BYOVD) attack. In a BYOVD attack, an attacker installs a driver that is vulnerable to an exploit that enables the attacker to cross the boundary from administrative access to ring 0 or kernel-mode access. Ring 0 access enables the attacker to bypass or disable security technology and evade detection by security professionals by operating deeper within the operating system.

Can’t Hit What You Can’t See

As detailed in the X-Force blog, after obtaining kernel mode privileges the FudModule begins targeting kernel structures to impair telemetry sources on the host by targeting Event Tracing for Windows (ETW) registration handles. ETW registration handles are used to retrieve configuration information for a specific provider, the handle can test whether a provider is enabled for specific keywords or information levels. Additionally, ETW registration handles are used to call event tracing and logging functions for a specific provider. The FudModule leverages the nt!EtwRegister function to enumerate entries associated with the RegHandle parameter and then updates the value with NULL effectively disabling all system ETW providers for all consuming applications, including those providers used by some…

Source…

Lazarus Group Exploits Zero-Day Vulnerability to Hack South Korean Financial Entity

/in


Mar 08, 2023Ravie LakshmananZero-Day / BYOVD Attack

North Korean Hackers

The North Korea-linked Lazarus Group has been observed weaponizing flaws in an undisclosed software to breach a financial business entity in South Korea twice within a span of a year.

While the first attack in May 2022 entailed the use of a vulnerable version of a certificate software that’s widely used by public institutions and universities, the re-infiltration in October 2022 involved the exploitation of a zero-day in the same program.

Cybersecurity firm AhnLab Security Emergency Response Center (ASEC) said it’s refraining from divulging more specifics owing to the fact that “the vulnerability has not been fully verified yet and a software patch has not been released.”

The adversarial collective, after obtaining an initial foothold by an unknown method, abused the zero-day bug to perform lateral movement, shortly after which the AhnLab V3 anti-malware engine was disabled via a BYOVD attack.

It’s worth noting here that the Bring Your Own Vulnerable Driver, aka BYOVD, technique has been repeatedly employed by the Lazarus Group in recent months, as documented by both ESET and AhnLab in a series of reports late last year.

Zero-Day Vulnerability

Among other steps taken to conceal its malicious behavior include changing file names before deleting them and modifying timestamps using an anti-forensic technique referred to as timestomping.

The attack ultimately paved the way for multiple backdoor payloads (Keys.dat and Settings.vwx) that are designed to connect to a remote command-and-control (C2) server and retrieve additional binaries and execute them in a fileless manner.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The development comes a week after ESET shed light on a new implant called WinorDLL64 that’s deployed by the notorious threat actor by means of a malware loader named Wslink.

“The Lazarus group is researching the vulnerabilities of various other software and are constantly changing their TTPs by altering the way…

Source…

FBI Says Lazarus Group Behind $100 Million Harmony Bridge Heist

/in


The FBI is pinning the blame for a $100 million cryptocurrency heist last June on the Lazarus Group, a team associated with the North Korean government that is notorious for stealing cryptocurrency to help support that country’s military and weapons programs.

On Tuesday, the FBI released a statement identifying Lazarus Group, also known as APT38, as the culprit for the June 24 attack on the Harmony Horizon bridge that resulted in the loss of $100 million in Ethereum. The Harmony Horizon bridge is a connection between various cryptocurrency systems, specifically Harmony and Ethereum, Bitcoin, and Binance Chain. In June, attackers were able to gain access to the bridge and make off with the Ethereum.

“The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds,” Harmony said at the time of the incident.

The FBI, along with the Department of Justice’s National Cryptocurrency Enforcement Team, and various United States attorney’s offices has been investigating the Harmony heist and on Tuesday said that the Lazarus Group was responsible for the attack and had used its malware tool known as TraderTraitor as part of the operation.

“On Friday, January 13, 2023, North Korean cyber actors used RAILGUN, a privacy protocol, to launder over $60 million worth of ethereum (ETH) stolen during the June 2022 heist. A portion of this stolen ethereum was subsequently sent to several virtual asset service providers and converted to bitcoin (BTC),” the FBI said in a statement.

“On Friday, January 13, 2023, North Korean cyber actors used RAILGUN, a privacy protocol, to launder over $60 million worth of ethereum (ETH) stolen during the June 2022 heist.”

The Lazarus Group has been operating for many years and is closely associated with the government of North Korea and typically operates in support of the government’s interests. The group’s best-known operation was an attack on the Bank of Bangladesh in 2016 that netted it $81 million and Lazarus has continued to target banks and crypto…

Source…

North Korea’s Lazarus Group Moves More than $60 Million from Harmony Bridge Hack

/in


Over the Martin Luther King Jr. holiday weekend, North Korea’s state-owned cybercrime entity the Lazarus Group, most famously linked to the 2014 Sony Pictures hack, moved approximately 41,000 ETH or more than $60 million of Ethereum to the crypto exchanges Binance, Huboi and OKX. The funds were taken from last year’s Harmony blockchain bridge hack, which resulted in the stealing of nearly $100 million in crypto, according to internet detective ZachXBT.

Binance and Huboi both froze the funds, with Binance declaring that 124 BTC in assets were recovered during the process.

Source…