![lazarus group lazarus group](https://thehackernews.com/images/-RRtz3ook6ZA/YDjUuVW0yrI/AAAAAAAAB5k/Ait1DtY21OM_4aLRqLlRBa4gzsvVljzNQCLcBGAsYHQ/s728-e1000/hacking-news.jpg)
Kaspersky also discovered an additional configuration file containing four C2 servers, all of which are compromised web servers located in South Korea. Using this utility, the threat actor extracted a list of the victim’s users and computers.” Moreover, Lazarus used ADfind in order to collect additional information from the Active Directory. “After acquiring account information, they connected to another host with the ‘net’ command and executed a copied payload with the ‘wmic’ command. “In the lateral movement phase, the malware operator used well-known methodologies,” they added.
Lazarus group password#
Upon execution, the Bookcode malware reads a configuration file and connects with its C2 – after which it provides standard backdoor functionalities, researchers said, and sends information about the victim to the attacker’s infrastructure, including password hashes. “We have also witnessed the Lazarus group carry out spearphishing or strategic website compromise in order to deliver Bookcode malware in the past.”
Lazarus group software#
“We previously saw Lazarus attack a software company in South Korea with Bookcode malware, possibly targeting the source code or supply chain of that company,” according to Kaspersky. “We’ve previously seen and reported to our Threat Intelligence Report customers that a very similar technique was used when the Lazarus group attacked cryptocurrency businesses with an evolved downloader malware,” they said, adding that “ debugging messages have the same structure as previous malware used in attacks against cryptocurrency businesses involving the Lazarus group.” BookcodeĪs for the Bookcode malware cluster, here too the researchers weren’t able to uncover the initial access vector for certain, but it could be a supply-chain gambit, they said.
Lazarus group windows#
In the final step, wAgent fetches an in-memory Windows DLL containing backdoor functionalities, which the attackers used to gather and exfiltrate victim information through shell commands.
![lazarus group lazarus group](https://i2.wp.com/backendnews.net/wp-content/uploads/2019/07/hacker-1952027_1280.jpg)
POST parameter names are decrypted at runtime and chosen randomly at each C2 connection, researchers explained. Then it generates identifiers to distinguish each victim using the hash of a random value. A 16-byte string parameter is used as an AES key to decrypt an embedded payload – a Windows DLL – which is loaded in memory.įrom there, it decrypts configuration information using a given decryption key, including command-and-control server (C2) addresses. Kaspersky’s analysis showed that the malware was directly executed on the victim machine from a command line shell. It’s unknown what the initial infection vector was, but the wAgent malware cluster contained fake metadata in order to make it look like the legitimate compression utility XZ Utils. “However, we can confirm that both of them are connected to the Lazarus group, and we also found overlaps in the post-exploitation process.” wAgent “Both attacks leveraged different malware clusters that do not overlap much,” researchers said. For the pharma company, Lazarus Group deployed the Bookcode malware in a likely supply-chain attack through a South Korean software company, according to Kaspersky. In the first instance, the cyberattackers installed a sophisticated malware called “wAgent” on the ministry’s servers, which is fileless (it only works in memory) and it fetches additional payloads from a remote server. While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well.” They added, “These two incidents reveal the Lazarus Group’s interest in intelligence related to COVID-19. is developing a COVID-19 vaccine and is authorized to produce and distribute COVID-19 vaccines.” Researchers added, “According to our telemetry, company was breached on Sept. 27, 2020, two Windows servers were compromised at the ministry,” according to a blog posting issued Wednesday. The goal was intellectual-property theft, researchers said.
![lazarus group lazarus group](https://www.stots.edu/images/icons/palm-sunday-mosaic.jpg)
That’s the finding from Kaspersky researchers, who found that Lazarus Group - widely believed to be linked to North Korea - recently attacked a pharmaceutical company, as well as a government health ministry related to the COVID-19 response. The advanced persistent threat (APT) known as Lazarus Group and other sophisticated nation-state actors are actively trying to steal COVID-19 research to speed up their countries’ vaccine-development efforts.