Our Approach

Definitive Guide to Ransomware

APT38: North KoreaLazarus

The Lazarus Group, also known by aliases such as Hidden Cobra, APT38 or Labyrinth Chollima, is one of the most prolific, versatile and eccentric threat actors on the global stage. The advanced persistent threat (APT) group is believed to operate under the Reconnaissance General Bureau, North Korea’s primary intelligence agency. It is estimated that the group has around 3,300 members. Since emerging in the mid-2000s, Lazarus has been responsible for some of the most high-profile cyberattacks in the last decade, including the Sony breach (2014), Bangladesh bank heist (2016), WannaCry ransomware attacks (2017), as well as many of the well known heists on crypto exchanges.[1] This page will provide an overview of the group's history and preferred tactics, as well as looking towards the future to see how this persistent threat actor may evolve in the years to come.    

 

  • 1.Aliases: Hidden Cobra, APT38, Andariel, Unit 121, Bureau 121, NewRomanic Cyber Army Team, BlueNorOff, Labyrinth Chollima, Guardians of Peace, CTG-6459, TEMP.Hermit, T-APT15, Black Alicanto, TA444, TAG-71
  • 2.Strategic motives: Espionage, financial gain, disruption, destruction
  • 3.Affiliation: North Korean Reconnaissance General Bureau
  • 4.Cyber capabilities: ★★★★☆
  • 5.Target sectors: Aerospace, Banking & Investment Services, Biotech, BitCoin exchanges, Defense, Energy, Engineering, Financial, Government, Healthcare, Industrials, Media, Media & Publishing, Shipping and Logistics, Technology, Transportation
  • 6.Observed countries: Albania, Andorra, Argentina, Australia, Austria, Bangladesh, Belarus, Belgium, Bosnia, Bosnia and Herzegovina, Brazil, Bulgaria, Canada, Chile, China, Costa Rica, Croatia, Czech Republic, Denmark, Ecuador, Estonia, Finland, France, Germany, Ghana, Greece, Guatemala, Herzegovina, Holy See, Hong Kong, Hungary, Iceland, India, Indonesia, Ireland, Israel, Italy, Japan, Jordan, Kenya, Kuwait, Latvia, Liechtenstein, Lithuania, Luxembourg, Macau, Malaysia, Malta, Mexico, Moldova, Monaco, Mongolia, Montenegro, Mozambique, Nepal, Netherlands, Nicaragua, Nigeria, North Korea, North Macedonia, Norway, Pakistan, Panama, Peru, Philippines, Poland, Portugal, Romania, Russia, San Marino, Serbia, Singapore, Slovakia, Slovenia, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Tanzania, Thailand, Togo, Turkey, Uganda, Ukraine, United Kingdom, United States, Uruguay, Vietnam, Zambia

Origins, Motivations & Targets

The earliest signs of the Lazarus group can be traced back to 2007, when North Korea was under the rule of Kim Jong Il, father of the current leader Kim Jong Un. It is believed that Lazarus was established as a cyber warfare unit under the Reconnaissance General Bureau (RGB), North Korea’s primary intelligence agency. During this period, the development of cyber capabilities was seen as essential to the regime’s asymmetric warfare strategy. Kim Jong Il was said to be an enthusiastic proponent of this, stating that “cyber-attacks are like atomic bombs” and that “war is won and lost by who has greater access to the adversary’s military technical information in peacetime.”[2] The Lazarus group’s earliest operations tended to focus on espionage and disruption, primarily targeting organizations in the United States and South Korea. 

After the death of Kim Jong Il in 2011, Kim Jong Un sought to expand on his fathers’ vision and harness the state’s cyber capabilities to generate revenue for the sanction-hit regime. Starting in 2015, Lazarus began conducting financially motivated operations, first focusing on banks and later cryptocurrency exchanges. North Korea has a long history of using criminal activities, including counterfeiting, drug trafficking and insurance fraud, to support its struggling economy. With its growing cyber capabilities, shifting these efforts to cyberspace likely felt like a natural evolution.[3] 

What makes Lazarus stand out from other APTs is the breadth and diversity of its operations; the group has targeted a wide range of sectors over the years, including but not limited to the aerospace, banking, pharmaceuticals, energy, healthcare, technology, education, and transportation sectors. The group’s targeting appears to shift in line with the regime’s ambitions, as well as external events such as the COVID-19 pandemic. The regime relies on espionage and information theft to bypass (often difficult and expensive) R&D processes that are required for the advancement and modernization of the state.  

Additionally, Lazarus has repeatedly targeted governments and military organizations to obtain intelligence and undermine their adversaries. In 2016, the group breached South Korea’s Defense Ministry and reportedly obtained classified military documents outlining a joint US-South Korea combat strategy, including procedures to “decapitate” the North Korean leadership.[4] Such campaigns are used to strengthen North Korea’s strategic position and pre-empt threats from their regional neighbors.  

 

Group structure 

It should be noted that the Lazarus group is often used as an umbrella term referring to multiple North Korean cyber operators. Based on analysis of various toolsets and attack patterns, Lazarus can be divided into sub-groups with varying objectives. Two commonly cited sub-groups are BlueNorOff, which is believed to be the unit responsible for financially motivated attacks, and AndAriel, which focuses its operations on foreign businesses, government agencies, and financial services infrastructure. According to some estimates, BlueNorOff (also referred to as APT38) boasts approximately 1,700 members, while AndAriel has around 1,600 members.[5]

In addition to BlueNorOff and AndAriel, Mandiant designates an additional sub-group - TEMP.Hermit. This unit is believed to focus on strategic intelligence gathering and is known to have targeted organizations in the government, defense, telecommunications, and financial sectors. It is believed that these three units are subordinate to an agency named Lab 110, previously Bureau 121, which is known as North Korea’s primary hacking unit. The relationship between these groups is shown in the chart below.[6]

 

Screenshot 2024-08-07 at 15.33.58

Figure 1. Assessed structure of North Korean APT groups (Source: Mandiant)

 

However, it’s worth noting that due to the inherently clandestine nature of cyber threats, verifying this structure is no easy task. To complicate matters further, there are overlaps in tools and techniques between North Korea’s Kimsuky and APT37. This poses challenges for attribution and obscures our view of how these cyber teams are organized. 

Campaigns Overview

Operation Troy

2009-2012

One of the earliest known campaigns linked to the Lazarus group is “Operation Troy”, which took place between 2009 and 2012. During this time, Lazarus orchestrated a string of Distributed Denial of Service (DDoS) attacks against South Korean and US targets in the government, news media, and financial sectors. The group is believed to have hijacked more than 20,000 computers (including 12,000 in South Korea) to create the botnet used to drive Internet traffic to the targeted sites. Although these attacks were relatively unsophisticated, Lazarus succeeded in its mission of disruption, resulting in some websites being offline for several days. In tandem, the group ran a multi-year reconnaissance and data exfiltration campaign, maintaining its focus on South Korean and US entities.[7]

Operation Troy occurred during a period of rising tensions on the Korean peninsula, fueled by missile strikes and nuclear tests in the North. South Korean officials were concerned about their neighbors' expanding cyber capabilities, speculating that cyberattacks could be used to disable the country’s telecoms system prior to military strikes.[8] These fears were not unfounded, as subsequent investigations have uncovered links between Operation Troy and two later campaigns: the 2011 “Ten Days of Rain” incident and the 2013 DarkSeoul attacks. South Korea was targeted on both occasions. Reconnaissance efforts undertaken during Operation Troy are believed to have provided a foundation for the distribution of the DarkSeoul wiper malware in subsequent years.[9]  

Sony hack

2014

Lazarus made international headlines in 2014 with its attack on the film studio Sony Pictures Entertainment, prompted by the upcoming release of "The Interview," a comedy depicting an assassination attempt on North Korean leader Kim Jong-un. The attack began on November 24, when Sony employees were met by the image of a skull on every screen, accompanied by threats to release sensitive data unless the attackers’ demands were met. It is believed that Lazarus obtained a massive 100 terabytes of Sony data, the text equivalent of roughly 2.5 million books. Over the next few weeks, the group leaked a trove of unreleased films, executive salaries, and even Sony employees’ private medical records, causing immense embarrassment and financial losses for the company. This prompted several employees to initiate class action lawsuits against Sony for failing to protect their personal information. A senior Sony executive, whose own private emails had been exposed, was forced to step down in the aftermath. Lazarus also threatened physical violence against theaters screening "The Interview," forcing Sony to cancel its release.[10]

The Sony hack is remembered as one of the first cyberattacks where physical damage was caused to the victim, thanks to the Lazarus group’s use of wiper malware. This destructive malware, identified as WhiskeyAlfa, was designed to eradicate the contents of any hard drive connected to an infected system.[11] To maximize impact, Lazarus also deployed ransomware inside Sony’s network. Links were eventually made between the malware used against Sony and other malware associated with North Korea, prompting the FBI to attribute the attack to Lazarus. Sony's losses from the attack and the cancellation of "The Interview" release were estimated to exceed $100 million. Amidst international pressure, Sony eventually decided to release the film on Christmas Day, both in theaters and through video-on-demand platforms. Then-US President Barrack Obama praised this decision, asserting that the US should not capitulate to cyber threats or engage in self-censorship due to the fear of offending foreign powers.[12]

Heist on the Central Bank of Bangladesh

2016

Two years later, the Lazarus group once again captured global attention by orchestrating one of the most brazen bank heists in history. This time, their target was the central bank of Bangladesh, resulting in the theft of over $81 million. The attack began on February 4, 2016, when Lazarus hackers used malware known as SWIFT Client to access the bank’s SWIFT credentials, which could be used to communicate with other financial institutions and banks around the world. This enabled the hackers to send a series of transfer requests to the Federal Reserve Bank of New York, where Bangladesh Bank maintained a US-dollar account containing almost $1 billion. The fraudulent requests contained instructions to transfer all available funds to various accounts in the Philippines and Sri Lanka, which were disguised by using the names of fake charities and non-profit organizations. Because Lazarus had previously infiltrated Bangladesh Bank’s network using spear phishing, it appeared that the requests were made by a legitimate bank employee.[13]

Lazarus executed this attack with precision, choosing dates and times where communication between Bangladesh Bank and the Federal Reserve Bank of New York would be impeded. The first sign of suspicious activity was reported at Bangladesh Bank’s Dhaka office on Friday, February 5, when a printer used to document large international transfers stopped working. In Bangladesh, weekends take place on Friday and Saturdays, meaning that the bank was operating at reduced capacity. When employees noticed the broken printer, they chalked it up to a benign tech issue and didn’t attempt to reboot it until the following day. When the printer was eventually reinstated, it began to dispense the fraudulent transfer requests, alerting employees to the situation. They immediately tried to contact the Federal Reserve, but by then it was the weekend in the US. Unable to elicit a response, employees at Bangladesh Bank tried to block the transfers by contacting banks in the Philippines and Sri Lanka. However, this coincided with the Lunar New year holiday, meaning the banks were closed and the transfers could proceed. This strategy bought Lazarus five days to execute the attack with minimal interruption.[14]

Despite the technical sophistication and thorough planning demonstrated by the group, it was a simple spelling error that caused the house of cards to come tumbling down. Hackers misspelled “foundation” in the recipient NGO’s name as “fandation”, causing the routing bank to seek clarification from Bangladesh and allowing them to halt some of the transactions. At the same time, the unusually large number of payment instructions and the transfer requests to private entities was raising suspicions in New York. In total, the transactions that were stopped amounted to circa $870 million, leaving the hackers with just $81 million. Most of this money was never recovered, having been laundered through casinos in the Philippines.[15]

WannaCry

2017

On May 12, 2017, a ransomware variant known as WannaCry spread like wildfire around the world, infecting more than 300,000 devices in 150 countries. WannaCry spread like a worm, using self-propagation through a remote exploit made public two months earlier. The exploit took advantage of a flaw in the Microsoft Windows implementation of the Server Message Block (SMB) protocol, known as EternalBlue. This vulnerability was initially discovered by the US National Security Agency (NSA), who developed the EternalBlue exploit for its own intelligence gathering purposes. This exploit was revealed to the public in early 2017 by the hacking group Shadow Brokers, who compromised the NSA and leaked a cache of exploits online. Just two months later it would be used to orchestrate one of the broadest and most damaging ransomware attacks in history.[16]

Several high-profile organizations were impacted by the spread of WannaCry, including the Spanish mobile company Telefónica, auto manufacturer Renault-Nissan, Russia’s Interior Ministry, and the UK’s National Health Service. In the case of the latter, hospitals, doctor’s surgeries, and ambulance services were disrupted for several days, endangering the lives of patients, and costing the UK’s national health service an estimated GBP 92 million.[17] It is likely that the impact would have been far worse if not for a serendipitous discovery by the British security researcher Marcus Hutchins, however. Hutchins, previously MalwareTech, discovered an unusual function when reversing the WannaCry malware. He noticed that before the malware was executed, it would query the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, which did not exist. He proceeded to register the domain, unintentionally triggering a “kill switch” which prevented WannaCry from executing on newly infected computers. This saved countless organizations around the world from having their files encrypted. Nonetheless, the worldwide disruption caused by WannaCry produced an estimated $8 billion in damages.[18] In the days following the attack, researchers at Symantec and Kaspersky identified links between WannaCry and Lazarus, noting code overlaps between WannaCry and previously identified Lazarus tools. In the months that followed, countries including the US, UK, and Canada attributed the attack to Lazarus.[19] For more technical details about WannaCry, check out Chapter 2 of our Definitive Guide to Ransomware 

Operation Dream Job

2019-2023

Beginning in 2019, Lazarus launched a broad cyber-espionage campaign targeting companies in the aerospace and defense sectors, mostly located in Europe, the United States, and the Middle East. The group relied heavily on social engineering to pull off this campaign, leveraging LinkedIn and other messaging platforms to establish initial contact with their targets, who held technical and business-related job titles. The attackers created fake profiles to impersonate hiring managers from prominent US firms. The targets were then lured into opening and interacting with malicious documents, which triggered the execution of custom, multistage malware. This malware was designed to infiltrate the target’s systems and exfiltrate valuable information without detection. In 2023, Lazarus introduced Linux malware into the campaign, demonstrating an evolution in their tactics.[20] [21] To read more about Operation Dream Job, check out our blog: Cyber Siege on the Fourth Estate. 

 

Ronin Network hack

2022

As previously mentioned, the Lazarus group has intensified its targeting of the cryptocurrency industry in recent years. In 2022, the group managed to steal a whopping $600 million worth of Ethereum and $25.5 million of USDC stablecoin from Ronin Network, an EVM (Ethereum Virtual Machine)-compatible blockchain made for gaming. This marked one of the largest attacks on a decentralized finance system to date. Ronin Network is tied to Axie Infinity, a popular blockchain game developed by Vietnamese studio Sky Mavis. The attack involved Lazarus compromising Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes, allowing the funds to be siphoned away in just two transactions. According to Sky Mavis, private keys obtained by Lazarus were used to forge fake withdrawals. At the time, five validator nodes were required for any deposit or withdrawal from the Ronin chain. In light of the attack, this number has since been increased to eight.[22] 

North Korea is the global leader in cryptocurrency attacks. In 2022 alone, an estimated $1.7 billion was stolen by North Korean hackers, $1 billion of which was stolen from decentralized finance (DeFi) protocols. These stolen funds make up a significant chunk of the nation’s economy and are likely used to fund the country’s nuclear weapons programme. In recent years, several cryptocurrency mixers have been sanctioned by the US government for helping Lazarus and other North Korean groups to launder stolen funds. More information about this can be found in the Trends section.[23] 

TTPs

Techniques

Hunt & Hackett continuously tracks the Tactics, Techniques and Procedures (TTPs) used by the Lazarus group. Knowing how the group operates allows us to set up the most effective detection and defence measures against them and other threat actors. We approach this by mapping the Lazarus group’s preferred TTPs to the MITRE ATT&CK framework, which divides a cyberattack into several phases. This can be seen in Table 1. It should be noted that this list is not exhaustive. Due to the covert nature of the Lazarus group’s activities, some of their techniques likely remain unknown, leaving uncertainty over the full extent of their capabilities.  

 

Phase                     

The Lazarus Group’s Preferred Techniques

Initial Access

Phishing (T1566)

Lazarus frequently utilizes spear phishing tactics, employing personalized emails and social media messages to deceive targets into clicking on malicious links. In 2014, the group gained initial access to Sony’s network through spear phishing.[24] This same technique was employed during Operation Dream Job.[25]

Drive-by compromise (T1189) 

Lazarus delivered RATANKBA, a remote controller tool, and other malicious code via a compromised legitimate website.[26]

Execution


 

Command And Scripting Interpreter (T1059)

Lazarus used PowerShell to execute commands and malicious code during Operation Dream Job.[27]

Schedule Task/Job (T1053) 

Lazarus has been known to use schtasks for persistence.[28]

Persistence


 

Boot or Logon Autostart Execution (T1547) 

This technique allows Lazarus to configure system settings to automatically execute a program during system boot or logon. The group uses this to maintain persistence. In this past, Lazarus has done this by loading malicious code into startup folders, adding Registry Run keys, and creating LNK shortcuts in the user’s Startup folder over the course of several campaigns.[29]

Hijack Execution Flow (T1574) 

Lazarus has been observed replacing a legitimate component with a malicious DLL to download and execute a payload.[30]

Privilege Escalation

Scheduled Task/Job (T1053)

Lazarus uses this technique to maintain persistence. The group has been observed periodically executing remote XSL scripts and dropping VBS payloads.[31]

Defense Evasion

Indicator Removal (T1070) 

Lazarus is known to delete or modify artifacts generated within systems to remove evidence of their activities. During a 2022 campaign, Lazarus restored malicious KernelCallbackTable code to its original state after the process execution flow was hijacked.[32]

Masquerading (T1036) 

Lazarus has used this technique on multiple occasions. During Operation Dream job, the group disguised malicious files as JPEGs to avoid detection. They have also been observed using a scheduled task (SRCheck) to mask the execution of a malicious .dll.[33]

System Binary Proxy Execution (T1218) 

By proxying execution of malicious content with signed - or otherwise trusted - binaries, attackers can bypass process or signature-based defenses. Common examples of system binaries that are abused for proxy execution include PowerShell, Windows Management Instrumentation (WMI), and legitimate command-line utilities like cmd.exe or certutil.exe. During Operation Dream Job, Lazarus used lnk files to abuse the Windows Update Client (wuauclt[.]exe) to execute a malicious DLL.[34]

Credential Access

Brute Force (T1110)

Lazarus employs brute force attacks to gain unauthorized access to target networks, systems, or accounts by systematically attempting various username and password combinations until successful authentication is achieved. In particular, the group is known to use the sub-technique Password Spraying (T1110.003). During a previous campaign, Lazarus used a generated list of usernames with permutations of the word “Administrator” and weak passwords to move laterally within the victim’s network.[35]

Discovery

Application Window Discovery (T1010) 

Application Window Discovery is a technique used by adversaries to gather information about open application windows on a targeted system. The Lazarus Group has achieved this in the past by using the malware IndiaIndia, which obtains the title of the window for each running process and sends it to the C2 server. The group has also been observed using the KilaAlfa keylogger, which reports the title of the window in the foreground.[36]

Lateral Movement

Remote Services (T1021)

Lazarus malware SierraCharlie uses Remote Desktop Protocol for propagation.[37]

Lateral Tool Transfer (T1570) 

This technique enables attackers to move tools or files between systems within a compromised environment. Lazarus was observed employing this method during the 2017 WannaCry attacks.[38]

Collection

Archive Collected Data (T1560)

Lazarus has used RomeoDelta malware to archive specified directories in .zip format, encrypt the file, and upload it to C2.[39]

Data from Local System (T1005)

During Operation Dream Job, Lazarus used malicious Trojans and DLL files to exfiltrate data from an infected host.[40]

Command & Control (C2)

Encrypted Channel (T1543)

This technique uses encryption algorithms to mask command and control traffic. Several malware families associated with Lazarus encrypt C2 traffic using custom code, which uses XOR with an ADD operation and XOR with a SUB operation. The group has also used AES to encrypt C2 traffic.[41]

Proxy (T1090)

Lazarus has been observed using multiple proxies to obfuscate network traffic from victims.[42]

Exfiltration


 

Exfiltration Over Alternative Protocol (T1048) 

Lazarus is known to use the sub-technique Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003), whereby data is exfiltrated over an un-encrypted network protocol separate from the existing command and control channel. This was seen when the group used the malware SierraBravo to generate an email message via SMTP containing information about newly infected victims.[43] 

Exfiltration Over C2 Channel (T1041) 

During Operation Dream Job, Lazarus Group exfiltrated data from a compromised host to actor-controlled C2 servers.[44]

Impact

Disk Wipe (T1561) 

Lazarus likes to use disk-wiping malware to inflict as much damage on its victims as possible. The group has used malware such as WhiskeyAlfa to overwrite the contents of physical drives, as well as SHARPKNOT to overwrite and delete the Master Boot Record (MBR) on the victim's machine.[45]

Table 1 – Some of the Lazarus group’s preferred techniques and how they have been used

Screenshot 2024-08-07 at 16.29.08

Figure 2 - The Lazarus group’s preferred TTPs mapped to the MITRE ATT&CK framework

Lazarus exhibits a sophisticated operational approach, utilizing a diverse set of Tactics, Techniques, and Procedures (TTPs) throughout its campaigns. During the Initial Access phase, the group frequently relies on spear-phishing, a method that involves sending carefully crafted emails containing malicious attachments or links to individuals within the desired organization. These emails are designed to appear legitimate, leveraging social engineering tactics to deceive recipients into interacting with the malicious content, thereby facilitating initial access to the target network. Lazarus has done this using various file types, including malicious Word documents, ZIP archives, optical disc images (ISO), and virtual hard disks (VHD).[46] The group successfully breached Sony's systems in 2014 using this technique and expanded this approach to leverage social media sites such as LinkedIn during Operation Dream Job. Additionally, the group likes to use Drive-by Compromise (T1189) and watering hole attacks. These techniques were observed during the Bangladesh bank heist (2016), Operation BookCodes (2020), and Operation GoldGoblin (2023).[47] 

After Lazarus obtains initial access, they use various techniques to move further into the target network while evading detection. To escalate privileges, the group has been observed using DLL hijacking on Windows hosts, as well as using Scheduled Task/Job (T1053) to execute remote XSL scripts and drop VBS payloads at specific intervals. To maintain persistence, the group favours techniques such as Boot or Logon Autostart Execution (T1547), allowing them to automatically configure system settings to execute a program during system boot or logon, as well as Scheduled Task/Job (T1053) to execute malicious binaries at regular intervals. To evade detection, the group often eradicates evidence of their activities (T1070), employs masquerading techniques (T1036), and abuses system binaries, such as PowerShell, for proxy execution (T1218). Besides these (relatively common) defense evasion tactics, the group has been observed using custom tools to remain under the radar. During a 2023 campaign targeting fintech companies, the group leveraged a tool capable of selectively wiping individual entries from log files if they contain a given IP address on Linux systems. This allows an attacker to efficiently remove traces of network activity in bulk.[48]

One notable aspect of the group’s modus operandi relates to the use of a multi-layered Command and Control (C2) infrastructure, comprised of servers with SSL encrypted channels established between them. The image below shows the composition of this infrastructure, based on Group IB’s analysis of the Bangladesh bank heist and subsequent attacks against Polish financial institutions. 

Screenshot 2024-08-07 at 16.34.58Figure 3 - The Lazarus group’s multi-layer C2 infrastructure. Source: Group IB[49]

 

Here, the Layer 1 server serves as the primary C2 server, directly engaging with the targeted computer. Once again, the Lazarus group’s commitment to stealth shines through. By utilizing SSL encrypted channels as part of its C2 infrastructure, Lazarus can successfully conceal the traffic content from network defenders and monitoring systems. As a result, even if the traffic is intercepted, it appears as incomprehensible ciphertext, making it challenging to discern the malicious intent or payload.  

During previous campaigns targeting the banking sector, Lazarus hackers safeguarded their anonymity by employing a legitimate VPN client known as SoftEther. In some cases, they also like to use corporate web servers strategically placed within the targeted organization, providing an additional layer of camouflage. When traffic between the compromised systems and the C2 servers stays within the organization's internal network, the chances of detection are reduced.[50]

This may sound like bad news for blue teamers, but a silver lining appears when looking at the Lazarus group's playbook (hint: they like to recycle). The group has continued to use much of the same infrastructure across its campaigns, despite these components being well-known to the security community. This presents an opportunity for defenders to create custom detection rules specific to the Lazarus group’s toolkit. It also presents avenues for the discovery of new IOCs, as demonstrated when Talos used this method to identify CollectionRAT malware last year.[51]

Tools

 

Lazarus is known to leverage a wide variety of custom tools in its attacks, many of which have significant code similarities. Its vast arsenal comprises keyloggers, RATs (Remote Access Trojans), wiper malware, DDoS botnets, and malicious code such as Destover, Duuzer, and Hangman, suggesting a large development team behind Lazarus. To supplement its impressive toolkit, the group likes to use modified versions of open-source tools, such Mimikatz.[52] A selection of the group’s most noteworthy tools, which can be detected by blue teamers, is outlined in the list below.   

Fallchill

 
Fallchill is a Remote Access trojan (RAT) used by Lazarus since at least 2016 to target the telecommunications, aerospace, and finance industries. It is typically dropped by other Lazarus malware or downloaded when a victim visits a compromised website.[53] Fallchill utilizes fake SSL headers for communication, disguising its traffic as legitimate TLS/SSL packets. After collecting basic system information, the backdoor initiates communication with its command-and-control (C2) server using a custom encrypted protocol. As the primary component of Lazarus Group’s C2 infrastructure, Fallchill employs proxies to obfuscate network traffic between the victim’s system and the attackers, enhancing its stealth and persistence in compromised networks.[54] Detection of Fallchill is possible by continuously monitoring IOCs associated with Lazarus, particularly IP addresses, as well as updating network signatures and YARA rules.[55] Find more technical information for detecting Fallchill here.

AppleJeus

AppleJeus is a backdoor malware typically spread via trojanized cryptocurrency trading applications that victims are lured into downloading. In a 2022 campaign targeting cryptocurrency users, Lazarus cloned a legitimate website, HaasOnline, and used it to distribute a Windows MSI installer for a fake trading app named “BloxHolder” (bloxholder[.]com). Once the app was installed, it created a Scheduled Task to execute the legitimate executable CameraSettingsUIHost[.]exe during logon. The executable then loads a dynamic link library (DLL) in Windows, in this case dui70[.]dll, which then causes the malicious DUser[.]dll to load in the same directory as the executable.[56] This backdoor has become synonymous with the group’s operations against the cryptocurrency industry, leading Kaspersky to name a campaign after it Operation AppleJeus.[57] For blue teamers hoping to detect use of this tool, a good place to start is by referring to the publicly available Sigma detection rules found here.[58]

Mimikatz

Mimikatz is an open-source application that enables attackers to steal credentials and other sensitive data from compromised Windows computers. During a pervious campaign, Lazarus was observed using a modified version of the tool to harvest credentials from LSASS memory. They achieved this by first disabling Windows Defender Credential Guard, causing LSA to store credentials in its process memory instead. Once Credential Guard has been disabled, it is easier to extract credential material from LSASS’ memory. See the command used below:  

cmd.exe /c reg add HKLM\\System\\CurrentControlSet\\Control\\Lsa /v LsaCfgFlags /t REG_DWORD /d 0 /f 2>&1 

Because this command modifies the registry entry, it is possible to detect this activity by monitoring for registry modifications in the registry_event and process_creation log sources. According to WithSecure, querying or modifying the Credential Guard registry value yields a low false positive rate, increasing the chances that malicious activity will be detected.[60]

The Lazarus Group's Tools

3CX Backdoor, 3Rat Client, 3proxy, ARTFULPIE, ATMDtrack, AlphaNC, Alreay, AnchorMTea, Andaratm, AppleJeus, Aryan, AuditCred, BADCALL, BISTROMATH, BLINDINGCAN, BLINDTOAD, BOOTWRECK, BTC Changer, BUFFETLINE, BanPolMex RAT, BanSwift, Bankshot, Bitsran, BlindToad, BlueNoroff, BookCodes RAT, Bookcode, BootWreck, Brambul, BravoNC, CHEESETRAY, CLEANTOAD, CLOUDBURST, COLDCAT, CRAT, Casso, Castov, CheeseTray, CleanToad, ClientTraficForwarder, CollectionRAT, ComeBacker, Concealment Troy, Contopee, CookieTime, CoreDN, Cryptoistic, Cur1Downloader, DAVESHELL, DLRAT, DRATzarus, DYEPACK, Dacls, Dacls RAT, DarkComet, Delta(Alfa,Bravo, ...), DeltaCharlie, Destover, DoublePulsar, Dozer, Dtrack, Duuzer, DyePack, ECCENTRICBANDWAGON, ELECTRICFISH, EternalBlue, FALLCHILL, FASTCash, FastCash, FeedLoad, Fimlis, ForestTiger, FudModule, FuwuqiDrama, Gh0st RAT, Ghost RAT, GhostSecret, Gopuram, HARDRAIN, HLOADER, HOOKSHOT, HOPLIGHT, HOTCROISSANT, HOTWAX, HTTP Troy, HTTP(S) uploader, Hawup, Http Dr0pper, ICONICSTEALER, IconicStealer, ImprudentCook, Interception, JessieConTea, Joanap, Jokra, KANDYKORN, KEYMARBLE, KillDisk, KillDisk (Lazarus), Klackring, Koredos, LCPDot, LIGHTSHIFT, LIGHTSHOW, LPEClient, LambLoad, LazarDoor, LazarLoader, Lazarus, LightlessCan, Living off the Land, MATA, MagicRAT, Manuscrypt, Mimikatz, Mydoom, NACHOCHEESE, NESTEGG, NachoCheese, NedDnLoader, NestEgg, NickelLoader, NineRAT, NukeSped, OpBlockBuster, PEBBLEDASH, PhanDoor, Plink, PostNapTea, PowerBrace, PowerRatankba, PowerShell RAT, PowerSpritz, PowerTask, ProcDump, Proxysvc, QUICKCAFE, Quickcafe, QuiteRAT, RATANKBA, REDSHAWL, Racket Downloader, Ratankba, RatankbaPOS, RawDisk, Recon, RedHat Hacker WebShell, RedShawl, Rifdoor, Rising Sun, RollSling, Romeo(Alfa,Bravo, ...), RomeoAlfa, RomeoBravo, RomeoCharlie, RomeoDelta, RomeoEcho, RomeoFoxtrot, RomeoGolf, RomeoHotel, RomeoMike, RomeoNovember, RomeoWhiskey, Romeos, RustBucket, SHARPKNOT, SIDESHOW, SIGFLIP, SLICKSHOES, SUDDENICON, SUGARLOADER, Scout, SheepRAT, Sierra(Alfa,Bravo, ...), SierraAlfa, SierraCharlie, SimpleTea, SimplexTea, SnatchCrypto, SpectralBlur, Stunnel, TOUCHSHIFT, TOUCHSHOT, TYPEFRAME, Tdrop, Tdrop2, ThreatNeedle, TigerRAT, Torisma, Troy, Unidentified 042, Unidentified 077 (Lazarus Downloader), Unidentified 090 (Lazarus), Unidentified 101 (Lazarus?), Unidentified macOS 001 (UnionCryptoTrader), VEILEDSIGNAL, VHD, VSingle, ValeforBeta, Volgmer, Vyveva, Vyveva RAT, WORMHOLE, WannaCry, WannaCryptor, WatchCat, WbBot, WebbyTea, WinInetLoader, WinorDLL64, WolfRAT, Wormhole, YamaBot, Yort, miniBlindingCan, miniTypeFrame, sRDI, wAgentTea

Data Sources & Security Controls

Data log sources refer to the various systems, devices, applications, and network components that generate logs containing information about their activities. These logs are crucial for monitoring and analysing security events, detecting anomalies, and responding to incidents. In order to achieve the highest possibility of detecting malicious activity associated with the Lazarus group, Hunt & Hackett's research suggests monitoring specific data log sources as the basis for developing detection logic. A starting point is to look at the preferred means of attack. 

 

amCharts(10)
Figure 4 – The Lazarus group’s preferred techniques connected to the targeted data source  

 

Analyzing how often Lazarus employs its preferred tactics, techniques, and procedures (TTPs) can provide a clearer understanding of the group’s capabilities and operational methods. According to the data collected by Hunt & Hackett, the group’s most frequently used tactic is Command Execution, which accounts for about 14% of known TTPs. This takes place after initial compromise, when the threat actor deploys a command-and-control infrastructure, establishes a communication channel and executes commands on the target system. As discussed in the previous section, Lazarus has been known to employ a multi-layered C2 infrastructure consisting of several servers connected by SSL encrypted channels, ensuring the group’s activities remain under the radar. Detection of these activities is possible by performing internal SSL offloading to inspect the content of internal traffic. To detect tools executed over the command and scripting interpreter, thorough logging and application of detection logic is required. It is also necessary to integrate threat intelligence to enhance detection and response capabilities. 

The second most popular technique is Process Creation, which accounts for roughly 13% of the Lazarus group's TTPs. This enables the threat actor to create system-level processes to repeatedly execute malicious payloads as part of persistence. Additionally, the group favours techniques such as Process: OS API Execution (7%) and Network Traffic: Network Traffic Content (6%).  

This information serves as a valuable input for monitoring and detection. However, it should be noted that due to the covert nature of the Lazarus group’s activities, there are likely additional tools and techniques that have yet to be discovered.   

 

Lazarus data sources chart

Figure 5 – When monitoring for Lazarus targeting data sources, these are the ones to watch

 

Looking at the available data, Hunt & Hackett recommends that an emphasis should be placed on endpoint monitoring to enable detection of malicious activities associated with Lazarus. Endpoints are devices such as computers, laptops, mobile devices, servers, and other network-connected devices that serve as entry or exit points for data in a network. Endpoint monitoring solutions leverage behavioural analysis and anomaly detection techniques to identify deviations from normal behaviour within the system, allowing malicious activity to be detected more efficiently. Collection and analysis of endpoint logs provides important information about process execution, command-line activity, and system events. By continuously monitoring endpoints, an organisation increases its chances of detecting and blocking unauthorized lateral movement before significant damage occurs.  

Additionally, an emphasis should be placed on XDR log monitoring, where data is aggregated from a range of diverse sources to provide centralized visibility. This allows an organization's security team to correlate information across different environments, making it possible to detect sophisticated attack techniques, such as lateral movement or data exfiltration following Command Execution. Finally, Hunt & Hackett recommends monitoring network traffic and protocols. This can enable identification of (potentially) malicious patterns, commands, or requests associated with Command Execution and Process Creation.  

Ultimately, it is important to recognize that effective detection capabilities must be acquired, developed, or customized to ensure comprehensive coverage against the Lazarus group’s sophisticated attacking techniques and broad toolset. This typically requires custom developed detection logic, which is particularly important when dealing with adversaries as stealthy and persistent as Lazarus.  

 

amCharts(11)

Figure 3 – From Technique to Data Source to Detection

Lazarus in the Netherlands

In late 2021, an unnamed aerospace company in the Netherlands was targeted by one of the Lazarus group’s trademark recruitment scams. An employee was contacted by individuals posing as Amazon recruiters and lured into opening malicious documents sent via email and LinkedIn. Upon opening, various tools including droppers, loaders, and HTTP(S) backdoors were deployed on the victim’s systems. One notable aspect of this campaign was the group’s use of a user-mode component to exploit the CVE-2021-21551 vulnerability in a legitimate Dell driver, from which kernel memory could be written, marking the first recorded abuse of this vulnerability in the wild. The attackers leveraged their kernel memory write access to disable key Windows monitoring mechanisms, including registry tracking, file system monitoring, and event tracing. This effectively blinded security solutions, allowing Lazarus to roam freely without detection.[61] Such a sophisticated approach again highlights the group’s ability to conduct deep research and develop advanced exploitation techniques. 

At Hunt & Hackett, we have observed the use of these techniques by Lazarus firsthand. In one of our previous investigations, we observed Lazarus sending highly targeted spear phishing messages disguised as job offers via the online messaging platform Telegram. As was the case with their 2021 campaign, tools such as loaders and backdoors were dropped onto the victim’s system once the malicious documents were opened.  

The Netherlands was not the only country targeted in this particular operation. Research by ESET shows that this was part of a broader effort to steal valuable information from defense companies in France, Italy, Germany, Poland, Ukraine, Turkey, Qatar and Brazil. Lazarus has repeatedly targeted the defense sector over the years, likely driven by North Korea’s enduring obsession with military supremacy. The regime continues to utilize the Songun (military-first) policy framework enacted by Kim Jong Il in 1995, which prioritizes the Korean People’s Army (KPA) as the central institution of North Korean society. Under Songun, the military is given the highest priority in resource allocation and national affairs, as it is seen as the primary force for safeguarding the regime. Over the past 15 years, the North Korea has become increasingly dependent on APTs like Lazarus to support its military ambitions.[62] [63]

Trends

In recent years, the Lazarus Group has become the focus of international legal action. In September 2018, the US Department of Justice charged suspected Lazarus Group member Park Jin Hyok for his involvement in the WannaCry ransomware attacks, the Sony Pictures breach, and other cybercrimes. According to the affidavit, Park was charged with conspiring to gain unauthorized access to computers, obtaining information with intent to defraud, causing damage, extortion related to computer intrusion, and wire fraud.[64] In February 2021, a US federal indictment expanded on these charges, implicating two additional members - Jon Chang-Hyok, Kim Il - in a criminal conspiracy to conduct destructive cyberattacks, steal and extort over $1.3 billion from financial institutions and companies, create and deploy malicious cryptocurrency applications, and fraudulently market a blockchain platform.[65]

Individuals affiliated with the Lazarus group have also come under scrutiny. In 2021, Canadian-American citizen Ghaleb Alaumary pled guilty to aiding the Lazarus Group in laundering money obtained through ATM cash-out operations. In 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the virtual currency mixer Blender.io for aiding the Lazarus Group in laundering stolen virtual currency. This followed the group’s largest virtual currency heist to date, worth nearly $620 million, from a blockchain project linked to the online game Axie Infinity. Blender.io is believed to have processed more than $20.5 million of the illicit proceeds.[66] In the same year, the US sanctioned cryptocurrency mixer Tornado Cash for allowing the proceeds of cybercrime to be laundered on its platform, including nearly half a billion dollars stolen by Lazarus.[67]

The same year, US cryptocurrency researcher Virgil Griffith was sentenced to more than five years in prison for conspiring to help North Korea evade US sanctions using cryptocurrency. Griffith, who formerly worked for the Ethereum Foundation, traveled to North Korea in 2019 to speak at the Pyongyang Blockchain and Cryptocurrency Conference, despite being denied permission by the US Department of State to do so. US prosecutors said Griffith was aware the information he provided could be used to circumvent sanctions imposed on North Korea due to its nuclear weapons development. While speaking at the conference, Griffith stated: “The most important feature of blockchains is that they are open. And the DPRK [Democratic People's Republic of Korea] can't be kept out no matter what the USA or the UN says.”[68] This assessment, unfortunately, turned out to be correct. In the years that followed, Lazarus shifted focus from financial institutions to cryptocurrency platforms, stealing an estimated $3 billion over the course of 58 attacks.[69] UN sanction monitors believe these proceeds were used to further develop North Korea’s nuclear weapons program.[70]

SWOT analysis

Strengths, weaknesses, opportunities & threats

Strengths

  • Large arsenal of custom tools and malware
  • Protection from North Korean leadership, limiting the impact of international legal action
  • Proven expertise at reconnaissance and planning, allowing them to achieve sophisticated attacks

Weaknesses

  • Tendency to reuse TTPs and repurpose tools and infrastructure

Opportunities

  • Cryptocurrency platforms and exchanges provide new avenues for financially motivated attacks

Threats

  • Information leaks by defectors
  • Undermining of state propaganda by allowing cyber workers access to the Internet

Conclusions & Future Implications

The Lazarus Group remains one of the most formidable and versatile threat actors on the global stage. Their operations, characterized by a blend of espionage, financial theft, and disruptive attacks, reflect the strategic objectives of North Korea’s regime. Over the years, Lazarus has demonstrated an exceptional ability to adapt its tactics, techniques, and procedures to exploit emerging technologies and vulnerabilities. From the audacious Sony Pictures hack and the infamous WannaCry attack, to sophisticated heists targeting financial institutions and cryptocurrency platforms, the group’s activities have had significant global repercussions. 

International efforts to counter Lazarus’s operations have intensified, resulting in multiple indictments and sanctions against individuals and entities associated with the group. However, these measures have had limited impact on the group’s capabilities, largely due to the protection and support they receive from North Korea’s leadership. The group’s continued focus on cryptocurrency platforms and the defense sector underscores their evolving strategy to circumvent traditional financial systems and fund the regime’s ambitions, including advancing its nuclear weapons program. As the group continues to evolve and expand its capabilities, the international community should remain vigilant, continuously updating detection measures, sharing technical information, and increasing awareness of the threats posed by this relentless and resourceful threat actor. 

Sources


[1] https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations

[2] https://ccdcoe.org/uploads/2019/06/CyCon_2019_BOOK.pdf

[3] https://thediplomat.com/2022/07/mapping-major-milestones-in-the-evolution-of-north-koreas-cyber-program/

[4] https://edition.cnn.com/2017/10/10/politics/north-korea-hackers-us-south-korea-war-plan/index.html

[5] https://medium.com/@sharkteam/sharkteam-uncover-north-korean-apt-group-lazarus-group-attack-techniques-and-money-laundering-fff6d67c04fb

[6] https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government

[7] https://www.radware.com/cyberpedia/ddos-attacks/the-lazarus-group-apt38-north-korean-threat-actor/

[8] https://web.archive.org/web/20140920101926/http://www.ft.com/cms/s/0/61bc6d22-6c1f-11de-9320-00144feabdc0.html

[9] https://www.usna.edu/CyberCenter/_files/documents/Operation-Blockbuster-Report.pdf

[10] https://www.vox.com/2015/1/20/18089084/sony-hack-north-korea

[11] https://www.infosecinstitute.com/resources/mitre-attck/mitre-attck-disk-content-wipe/

[12] https://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501/

[13] https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/

[14] https://nsarchive.gwu.edu/news/cyber-vault/2019-02-20/tainted-trove 

[15] https://www.reuters.com/article/idUSKCN0WC0TB/

[16] https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/

[17] https://www.acronis.com/en-eu/blog/posts/nhs-cyber-attack/

[18] https://www.darkreading.com/cyberattacks-data-breaches/5-security-lessons-wannacry-taught-us-the-hard-way

[19] https://www.theguardian.com/technology/2017/jun/16/wannacry-ransomware-attack-linked-north-korea-lazarus-group

[20] https://cymulate.com/threats/lazarus-group-adds-linux-malware-to-arsenal-in-operation-dream-job/

[21] https://web-assets.esetstatic.com/wls/2020/06/ESET_Operation_Interception.pdf

[22] https://therecord.media/more-than-625-million-stolen-in-defi-hack-of-ronin-network

[23] https://www.chainalysis.com/blog/2022-biggest-year-ever-for-crypto-hacking/

[24] https://www.secureops.com/wp-content/uploads/2021/06/Sony-Breach-Analysis-v4.pdf

[25] https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf

[26] https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html

[27] https://attack.mitre.org/groups/G0032/

[28] https://attack.mitre.org/techniques/T1053/005/

[29] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/

[30] https://x.com/ESETresearch/status/1458438155149922312

[31] https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns

[32] https://www.malwarebytes.com/blog/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign

[33] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/

[34] https://www.threatdown.com/blog/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/

[35] https://web.archive.org/web/20160226161828/https:/www.operation

[36] https://attack.mitre.org/techniques/T1010/

[37] https://web.archive.org/web/20160226161828/https:/www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf

[38] https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/

[39] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/

[40] https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf

[41] https://web.archive.org/web/20160226161828/https:/www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf

[42] https://www.cisa.gov/news-events/alerts/2017/11/14/hidden-cobra-north-korean-remote-administration-tool-fallchill

[43] https://attack.mitre.org/groups/G0032/

[44] https://attack.mitre.org/campaigns/C0022/ 

[45] https://web.archive.org/web/20160226161828/https:/www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf

[46] https://www.researchgate.net/publication/374977618_Lazarus_campaigns_and_backdoors_in_2022-2023

[47] https://go.group-ib.com/report-lazarus-en

[48] https://www.fox-it.com/nl-en/how-the-lazarus-group-targets-fintech/

[49]  https://go.group-ib.com/report-lazarus-en

[50] https://go.group-ib.com/report-lazarus-en

[51] https://blog.talosintelligence.com/lazarus-collectionrat/

[52] https://web-assets.esetstatic.com/wls/2020/06/ESET_Operation_Interception.pdf

[53] https://attack.mitre.org/software/S0181/

[54] https://www.cisa.gov/news-events/alerts/2017/11/14/hidden-cobra-north-korean-remote-administration-tool-fallchill

[55] https://www.cisa.gov/news-events/alerts/2017/11/14/hidden-cobra-north-korean-remote-administration-tool-fallchill

[56] https://www.malwarebytes.com/blog/news/2022/12/lazarus-group-uses-fake-cryptocurrency-apps-to-plant-applejeus-malware

[57] https://securelist.com/operation-applejeus/87553/

[58] https://socprime.com/blog/applejeus-malware-detection-north-korea-linked-lazarus-apt-spreads-malicious-strains-masquerading-as-cryptocurrency-apps/

[60] https://labs.withsecure.com/publications/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two

[61] https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/

[62] https://www.dia.mil/Portals/110/Documents/News/North_Korea_Military_Power.pdf

[63] https://www.dia.mil/Portals/110/Documents/News/North_Korea_Military_Power.pdf

[64] https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and

[65] https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and

[66] https://home.treasury.gov/news/press-releases/jy0768

[67] https://therecord.media/u-s-sanctions-tornado-cash-cryptocurrency-mixer

[68] https://www.bbc.com/news/business-61090064

[69] https://www.reuters.com/technology/cybersecurity/un-experts-investigate-58-cyberattacks-worth-3-bln-by-north-korea-2024-02-08/

[70] https://www.reuters.com/technology/cybersecurity/un-experts-investigate-58-cyberattacks-worth-3-bln-by-north-korea-2024-02-08/