Lazarus Group Update

The US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued a current technical alert on the North Korea-linked threat group known as the government name: Hidden Cobra,[1] or the cyber security name of the Lazarus Group.

The Lazarus Group is highly suspected or conducting numerous high-profile attacks; to include targeting Sony Pictures, Bangladesh’s Central Bank and various financial organizations.  The Lazarus Group’s campaigns are traced as Operation Blockbuster, Dark Seoul and Operation Troy.  Australia, Canada, New Zealand, the United Kingdom and the United States have officially blamed Lazarus for the WannaCry attack.   

Existing cyber alerts attribute the Joanap backdoor trojan and the Brambul worm to the North Korean government.  Joanap and Brambul have been used by the Lazarus Group since 2009 in attacks aimed at organizations in the United States and elsewhere, including in the financial, entertainment, transportation and critical infrastructure sectors.

 Joanap is a two-stage malware that allows hackers to exfiltrate data and install other threats on the system.  Brambul is a worm that manipulates the Server Message Block (SMB) protocol to travel into other systems through dictionary attacks.  The list of capabilities also includes harvesting system information, accepting command-line arguments, and executing what many cyber researchers describe as a “suicide script.”   Lazarus Group tools, including Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.

North Korea has been blamed for several major cyber-attacks, yet vehemently deny these assertions.  North Korean threat actors remain very active, especially since current North Korean, China, South Korea and US negotiations are imminent.

Mitigation 

Hidden Cobra (Lazarus Group) information can be viewed at: https://www.us-cert.gov/hiddencobra

The US has high confidence that the Lazarus Group bad actors are using numerous IP addresses, which are included in US-CERT Alert (TA18-149A).  These IP addresses are being shared[2] as IOCs to enable network defense and reduce exposure to any malicious cyber activity.

Past Reporting

Lazarus Group TTP Used Against Global Govt Financial, PIR-006-2017, dtd 24 MAR 2017

 

[1] https://www.securityweek.com/us-attributes-two-more-malware-families-north-korea?utm_source=hs_email&utm_medium=email&utm_content=63345453&_hsenc=p2ANqtz-_eVixTq2l74BJBYF3hFwEXx09ZTAp64G0WYmmLvWLFosLY072uNUApqnM4tDncYa81LWs3k1SeZlOKBfoEZrxs60e0MrjS5S4QIA4-NsDizFh-e6w&_hsmi=63345453

[2] https://www.us-cert.gov/ncas/alerts/TA18-149A

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!