Lazarus Group Bets on Destructive Malware

What Is It?

In the online casino attack, Eset found over 100 end-user systems and servers infected with Lazarus Group malware demonstrating significant effort on the attackers’ part to compromise the network.

The malware includes a backdoor component listening on a specific port number that’s capable of manipulating files and processes and gathering system information, a session hijacker which creates a new process as the current user logged into the system and the destructive malware.

The destructive malware discovered in this attack, which Eset generically classifies as KillDisk, is almost identical to other variants used in attacks targeting financial organizations in the same geographical area in early 2018.

Since the second half of 2017, reports of destructive malware attacks have been increasing in frequency, examples of which include NotPetya, the Iranian APT33 group’s attacks on petrochemical, aerospace and energy industries and, of course, the attack on the PyeongChang Winter Olympics servers. While the use of destructive malware may be used as the primary purpose of an attack designed to cause disruption to the target’s business, it can also be utilized in cases of extortion, as the penalty for non-payment, or by attackers wishing to remove potential forensic evidence of an attack.

A recent report by researchers from security firm Eset describes a destructive malware attack on a Central American-based online casino they believe to have been perpetrated by the notorious Lazarus Group. This group, referred to by the FBI as Hidden Cobra, is believed to be responsible for numerous attacks that included destructive malware. The most well-known of these is the 2014 Sony Pictures breach. The group is believed to be comprised of smaller teams and utilizes a combination of their own malicious tools, which are usually recompiled or altered for each attack, as well as publically available tools such as Mimikatz.

How Does It Propagate?

The malware does self-propagate.

The specifics of the infection vector aren’t described, but believed to include droppers, which are likely to be executed on systems as a result of some form of social engineering such as malicious attachments in spear phishing emails. There is also evidence of the attackers compromising remote access tools such as Radmin3 and LogMeIn, likely due to the use of poor, easily guessed or brute-forced passwords.

When/How Did BluVector Detect It?

BluVector’s patented Machine Learning Engine (MLE) detects publicly available samples directly related to this attack. Regression testing has shown the samples would have been detected an average of 44 months prior to their release.

All Threat Reports