Welcome to the VB2021 conference!

arrow left Back

Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections

17:00 - 17:30 UTC Fri 8 Oct 2021
Seongsu Park (Kaspersky)
After initial research on Lazarus APT – a well-known, state-sponsored threat actor – was published, the group has continued to gain widespread attention both in the industry and the media, as a result of their high profile and highly sophisticated threat activities. Unlike other state-sponsored threat actors, they have various motives for their cyber attacks. In the beginning, they had a relatively small malware cluster and few cyber attack capabilities. However, their modus operandi made a major leap in sophistication beginning in 2018. Several malware clusters started to spin-off from the original malware and developed independently. Based on the characteristics of these clusters, we cluster them together in various groups: ThreatNeedle, DeathNote, Bookcode, MATA, AppleJeus, CookieTime, etc.

These clusters still contain overlaps in their modi operandi. Some clusters heavily reuse the same source code, and some clusters use the same final-stage malware even though they use different infection methods. However, we have separated them for several reasons.

The first reason is the characteristics of the malware. While the primary functionality of the malware may look similar, a closer look at their infection schemes shows they use different techniques. For example, the ThreatNeedle cluster uses a more complicated method in the infection phase with various components, but the MATA cluster uses a relatively simple method with a combination of orchestrators and plug-ins. In addition, when it comes to the initial infection phase, the majority may use macro-embedded Office documents as an initial infection vector, but they use different kinds of macros.

The second reason is the development environment of the malware author. Each developer prefers a specific OS environment or compiler when they develop their malicious program. Some of the clusters have identical Linker versions in their malware, but some of them contain obvious differences in their Linker version. For example, the ThreatNeedle cluster was mostly developed under version 10, while the CookieTime malware was developed under the 14.26 Linker version. And, the difference is distinctive when compared with the RICH header information.

The third reason is victimology. Although they have the same origin, each cluster targets different industries and countries. For example, AppleJeus has continued to attack only the cryptocurrency industry, but ThreatNeedle has changed its targets depending on the situation, moving from attacking a cryptocurrency business to a game company and then a defence contractor. Moreover, the Bookcode cluster was only discovered in South Korea, compared to other clusters discovered across various countries. Based on this, we guess each cluster has a different target and operates with a different purpose.

It is not easy to classify the origin of cyber attacks because each researcher has different standards and perspectives to distinguish them. However, it is critical to track campaigns by providing a detailed classification based on technical characteristics. Given that Lazarus continues to be one the most prolific and destructive APTs groups, tracking and grouping their various campaigns is particularly important. In this talk, I will dig deeper into how we have identified different clusters and how the security community can attribute new activity to particular clusters based on the key characteristics mentioned above.
Seongsu Park
Kaspersky

Seongsu Park is a passionate researcher of malware, threat intelligence, and incident response with over 10 years of experience in cybersecurity. He has extensive experience in malware research, evolving attack vectors research, and threat intelligence, with a heavy focus on response to nation-state adversary attacks. He mainly tracks highly skilled Korean-speaking threat actors.