Lazarus toolset: restoring the old painting in a new frame

Peter Kálnai , Malware Researcher , ESET

Michal Poslusny , Malware Analyst , ESET

There is a significant number of malicious actions attributed to the infamous Lazarus hacking group which is active since 2009 (e.g. Operation Troy/DarkSeoul, various attacks on South Korean organisations, Operation BlockBuster). The group has intensified their efforts this year (e.g. the attacks on Polish and Mexican banks; the WannaCry outbreak; the spearphishing campaign against US contractors). The attribution in the new cases was done mostly by comparing features of the payload, namely specific chunks of code, unique data or network infrastructure shared with the previously closed cases. The code base seems to be slightly modified each time a new attack is launched, however there still are significant links being preserved between the attacks.

In our session we present our hunt for the Lazarus toolkit based on properties of malicious Windows executables. Initially, the set of 800+ PE binaries reported publicly since 2013 and generally accepted as the groups fingerprints served as the base. We followed by extracting specific static features (and their combinations) from these files as a potential link, e.g. character strings, Microsoft’s undocumented linker information, PE timestamps, encryption methods and keys, C&Cs, variations of dynamic WINAPI resolving, the command protocol used by their TCP backdoors etc. For every link, we checked its presence against large data sets of PE files collected over the years. As one may expect, most of these attribution candidates led to a dead-end, because they were found in a clean software or malware attributed to different actors. However, after an extensive examination we gathered a list of links that represented the toolset appropriately and helped to enlarge the initial set. The static links were additionally cross-checked with metadata (Is the file dropped by a malicious Korean document? Are C&Cs located in the related region? Was the victim’s system compromised together with malware from the base set? Does it generally follow the usual modus operandi?). We have identified 400+ unique strongly linked valid executables thus far, 90+ of which have the 2017 timestamp and additional 70+ we have linked with weaker confidence. Note that the number of recent compilations may be even higher because the group likes to alter PE timestamp quite regularly (which we will demonstrate by presenting examples).

Many of newly attributed samples give a new insight into the group’s activities. The links led us to interesting, as yet unpublished, findings: the very first iteration of WannaCry from 2016; the list of commercial packers used for obfuscation; the recent introduction of their own customized packer; the presence of various suspicious artifacts in the code, considered as false flags, like Russian, Chinese or South Korean language and cultural references. The toolset constantly grows and without deep insight it’s quite hard to attribute the new pieces. An attendee of this talk should get a bigger picture about the toolkit and be able to raise quick suspicion when a fresh Lazarus incident happens.

Peter Kálnai

Peter Kálnai is a malware researcher at ESET. His everyday tasks include reverse engineering of Windows and macOS executables especially connected with high-profile cyber threats. He is interested in discovering and extending the features of Volatility Framework. He has presented his research multiple times in international conferences like Virus Bulletin, AVAR and cyberCentral. In his free time he enjoys table football, travelling and playing indie games on his mobile phone.

Michal Poslusny

Michal Poslušný is a malware analyst working at ESET, where he is mainly responsible for reverse engineering of complex malware threats. His research was presented at the Virus Bulletin conference. He also works on developing various internal projects and tools and is a co-author of ESET’s CrackMe used for hiring new talents. In his free time he likes to play online games, develop fun projects and spend time with family.