Lazarus Lure in Yacht club

The Lazarus group is conducting a spearphishing campaign targeting individuals involved in the maritime industry, particularly yacht and luxury vessel sales, using malicious attachments to deliver malware.

Name:
Lazarus Lure in Yacht club

TTP:
T1059.007 Command and Scripting Interpreter: JavaScript, T1140 Deobfuscate/Decode Files or Information, T1105 Ingress Tool Transfer, T1027 Obfuscated Files or Information, T1566.001 Phishing: Spearphishing Attachment, T1053.005 Scheduled Task/Job: Scheduled Task, T1218.005 System Binary Proxy Execution: Mshta

Hypothesis:

The Lazarus group is conducting a spearphishing campaign targeting individuals involved in the maritime industry, particularly yacht and luxury vessel sales, using malicious attachments to deliver malware.

Campaign Type:
Intel Driven

Data Sources:

  • Email logs (including attachments and metadata)
  • Endpoint logs (Sysmon, PowerShell logs, etc.)
  • Network traffic logs (firewall, proxy, etc.)
  • Security event logs (Windows Security Event Log)

Tools:

  • INetSim (for simulating network traffic)
     
  • Metasploit Framework (for generating malicious payloads)
     
  • Yara
     
  • Wireshark
     
  • Splunk

Scenario:

Initial Access: Attacker sends a spearphishing email with a malicious attachment, potentially disguised as a legitimate document or file related to the maritime industry (e.g., yacht specifications, brochures, etc.).

Execution: The victim opens the malicious attachment, which may employ obfuscation techniques to evade detection. Upon execution, the attachment utilizes Mshta to run obfuscated JavaScript code.

Persistence: The JavaScript code downloads and executes a malicious payload, potentially establishing persistence through scheduled tasks.

Command and Control: The malware establishes communication with a command-and-control server controlled by the Lazarus group.

Lateral Movement/Further Actions: The attacker may perform further actions, such as lateral movement, data exfiltration, or other malicious activities depending on their objectives.

Hunting Strategy:

  1. Analyze email logs: Search for emails originating from suspicious senders or containing keywords related to the maritime industry. Inspect attachments for obfuscation or other indicators of malicious activity.
  2. Examine endpoint logs: Look for evidence of Mshta execution with unusual command-line arguments or obfuscated JavaScript code. Correlate this activity with email attachment execution.
  3. Monitor network traffic: Identify any suspicious network connections to known Lazarus group infrastructure or newly registered domains.
  4. Investigate scheduled tasks: Review newly created or modified scheduled tasks for suspicious commands or scripts.
  5. Validate potential threats: Analyze suspicious files and scripts in a sandbox environment. Utilize threat intelligence platforms to identify known Lazarus group malware or TTPs.

False Positive Consideration:

  • Legitimate use of Mshta for system administration or scripting tasks.
  • Benign JavaScript code used in web applications or scripts.
  • Scheduled tasks created by legitimate software or system updates.

Recommendations:

  • Implement email filtering and anti-phishing solutions to block or flag suspicious emails and attachments.
  • Enforce strong password policies and multi-factor authentication to prevent unauthorized access.
  • Educate users about phishing attacks and best practices for handling suspicious emails and attachments.
  • Regularly update security software and endpoint detection and response (EDR) solutions.
  • Monitor for suspicious activity related to Mshta execution, JavaScript code, and scheduled tasks.
  • Utilize threat intelligence to stay informed about the latest Lazarus group TTPs and indicators of compromise.

Step-by-Step Guide to Emulate a Threat Hunt

  1. Prepare the Environment:

    • Set up a Windows virtual machine with security monitoring tools like Sysmon installed.
    • Enable auditing policies for PowerShell, process creation, and scheduled tasks.
    • Configure a centralized log management system, such as an ELK stack.

  2. Emulate the Attack Techniques:

    • Craft a spearphishing email with a malicious attachment containing obfuscated JavaScript code.
    • Utilize Mshta to execute the JavaScript code, which will then download and execute a simulated malware payload.

  3. Emulate Post-Compromise Activities:

    • Create a scheduled task to simulate persistence.
    • Generate network traffic to a simulated command-and-control server.

  4. Collect and Analyze Logs:

    • Collect logs from Sysmon, PowerShell, and the Windows Security Event Log.
    • Use your log management system to search for events related to Mshta execution, JavaScript activity, and scheduled task creation.

  5. Refine Detections:

    • Analyze the collected logs to identify patterns and refine your detection rules.
    • Consider using YARA or SIGMA to create more robust detection rules for detecting Lazarus group TTPs.
    • Document your analysis and findings to improve future threat hunting efforts.

D3 Diagram:

Leave a Reply