lazarus group

Lazarus Attack targeting security researchers


1. Summary

Recently, Google disclosed in its blog a continuous infiltration activity of security researchers engaged in vulnerability research and development of different companies and organizations on social media such as Twitter.

The set up a series of social accounts on Twitter and other social media, these accounts will post some security-related news, and at the same time comment and forward each other to expand their influence.

After having a certain degree of influence, the attacker will actively seek out security researchers to communicate, and inquire about the research fields and interests of security researchers. After determining the research field of the security researcher, if there is overlap, the attacker will use learning and communication as an incentive to send engineering files such as poc and exp to the researcher. For example, when compiling the poc project, a malicious prebuild script will be executed and the malicious dll file in the project will be run, which will eventually lead to the failure of the computer used by the researcher.

The attackers that need attention here are very latent,

1

The attacker has a professional technical blog and will also invite professional researchers to provide professional articles to post on this blog

2

The attackers (or gangs) maintain multiple social accounts, which are relatively active, and they have also formed a certain degree of influence, and they communicate daily. Then phishing will be conducted through social blog posts or private message chats. The phishing content includes blog post links that are suspected of being used by attacks, and VS project files with malicious programs.

3

The phishing file or link sent by the attacker is very realistic. For example, the content of the blog post is very professional, and the poc of the VS project file contains a poc with a real vulnerability.

clip_image001

clip_image003

And from the record, activities or preparations have been started since at least April 2020.

clip_image004

Judging from the current situation, many of the more active researchers on Twitter have been contacted by attackers, especially browser vulnerability researchers and kernel vulnerability researchers.

According to the Google blog description, the attacker has been attributed to a government-backed entity headquartered in North Korea.

2. Brief analysis

The attacker will send the encrypted pgb encrypted program by adding TG, and send the public key for decryption and decompression. In the end we got the VS project named dxgkrnl_poc. The naming and content of the project are consistent with the rhetoric used by the attacker in the social engineering process, which is very confusing.

The malicious sample is named Browse.VC.db (MD5: 7fc2af97b004836c5452922d4491baaa), disguised as a .db database file, which is actually a DLL dynamic link library, and its path is \dxgkrnl_poc\x64\Debug.

In the process of compiling the project, the attacker will execute the powershell script in the prebuild tag configuration file in the .vcxproj that the attacker writes in the vs configuration file, and use rundll to call the export function ENGINE_get_RANDW of the malicious file Browse.VC.db in the project directory to hide Perform malicious operations.

clip_image005

The command configured by the attacker is to determine whether the currently attacked is a win10 system and an X64 environment. If it is, then execute the x64\Debug\Browse.VC.db file in the current directory through rundll32. The sample will release the update.bin file in the C:\ProgramData\VirtualBox directory after calling the export function

And write the self-starting key HKEY_CURRENT_USER\Software\Microsoft\\CurrentVersion\Run\SSL Update in the registry,

The specific content is

C:\\System32\rundll32.exe C:\\ProgramData\\VirtualBox\\update.bin,ASN2_TYPE_new 5I9YjCZ0xlV45Ui8 4222 to achieve persistence.

clip_image006

The structure of update.bin is similar to Browse.VC.db. It also uses rundll to call export functions to implement malicious code execution. It contains multiple export functions. Its main function is “ASN2_TYPE_newW”. Here is a little trick. It is the “ASN2_TYPE_new” function that is called. In fact, it starts the “ASN2_TYPE_newW” function that is called by default in unicode mode.

clip_image007

After executing update.bin, finally back to C2, the address is angeldonationblog[.]com, currently the server cannot be accessed.

According to Google: In addition to using the features of the VS compiler to implant the backdoor, the suspected hackers also placed a Chrome exploit code on their blog and also included the privilege escalation function of win10, and there were some users who were successfully attacked. It is the latest Chrome browser, fully patched win10 system, and Google currently has no details of related vulnerabilities.

According to the current information, one of the Chrome exploits may be CVE-2020-15994.

clip_image008

3. Association

The attack sample is similar to the Lazarus Group in some signs. The prebuild command code embedded in the VS project is somewhat similar to the command part of the lnk file (c74467fa96c2202faeed3f79334f0b21) used by Lazarus.

clip_image009clip_image010

The parameter decryption part of Browse.VC.db is similar to the parameter decryption part of localdb.db.

clip_image011

The 180001430 function in Browse.VC.db is similar to the 10001330 function in localdb.db.

clip_image012

So it may be related to the Lazarus Group.

4. Summary

At present, these accounts have been frozen, and the related return addresses are no longer accessible.

At present, activities on the Internet are becoming more frequent, and the target of the attacker has never had a clear scope. As long as there is an attack target with the possibility of attack, hackers are pervasive.

The hackers who are most familiar with security researchers are often long-term adversaries. In this operation, hackers showed strong pertinence and confusion. Security researchers should remain vigilant in their daily research and Internet social interaction.

IOCs

angeldonationblog[.]com
codevexillium[.]org
investbooking[.]de
krakenfolio[.]com
opsonew3org[.]sg
transferwiser[.]io
transplugin[.]io
trophylab[.]com
www.colasprint[.]com
www.dronerc[.]it
www.edujikim[.]com
www.fabioluciani[.]com

https[:]//angeldonationblog[.]com/image/upload/upload.php
https[:]//codevexillium[.]org/image/download/download.asp
https[:]//investbooking[.]de/upload/upload.asp
https[:]//transplugin[.]io/upload/upload.asp
https[:]//www.dronerc[.]it/forum/uploads/index.php
https[:]//www.dronerc[.]it/shop_testbr/Core/upload.php
https[:]//www.dronerc[.]it/shop_testbr/upload/upload.php
https[:]//www.edujikim[.]com/intro/blue/insert.asp
https[:]//www.fabioluciani[.]com/es/include/include.asp
http[:]//trophylab[.]com/notice/images/renewal/upload.asp
http[:]//www.colasprint[.]com/_vti_log/upload.asp

7fc2af97b004836c5452922d4491baaa
6252cec30f4fb469aefa2233fe7323f8
56018500f73e3f6cf179d3b853c27912
b52e05683b15c6ad56cebea4a5a54990
9e9f69ed56482fff18933c5ec8612063
f5475608c0126582081e29927424f338
ae17ce1eb59dd82f38efb9666f279044

631adb4cb6433330f3e6dfec4f6c1ea3bfff983c
a3060a3efb9ac3da444ef8abc99143293076fe32
baf97d3b9095911fb7c9c8d7152fdc32ca7b33aa
4ff6c02140ab1daf217b6e01ec042460389e2e92
8e88fd82378794a17a4211fbf2ee2506b9636b02
3b3acb4a55ba8e2da36223ae59ed420f856b0aaf

284df008aa2459fd1e69b1b1c54fb64c534fce86d2704c4d4cc95d72e8c11d6f
4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244
68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7
25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc
a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855
a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15