Subject: Engage Report for Lazarus new malware
Tactics: TA0001 Initial Access
Technique: T1566.001 Phishing: Spearphishing Attachment
Procedure:
The Lazarus group targeted employees of a nuclear-related organization with phishing emails containing malicious archive files. The emails were disguised as job opportunities at prominent aerospace and defense companies, aiming to trick the victims into opening the malicious attachments.
Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0004 When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated from, or where a link is clicked.
Engagement Opportunity:
Deploy a decoy email server and create realistic-looking job postings that mimic those used in the Lazarus campaign. Monitor for any interaction with these emails and attachments, such as opening the email, clicking on links, or attempting to open the attachments. This provides an opportunity to engage with the adversary, gather intelligence on their tactics, and potentially disrupt their operations.
Threat Actor: Lazarus Group
Threat Objective:
The Lazarus group’s objective is likely espionage or intellectual property theft, given their history of targeting high-profile organizations and their interest in sensitive data.
Deception Opportunity:
Develop a deception campaign that includes a fake file-sharing service or a decoy document repository. Seed this service with documents that appear to be valuable intellectual property related to the nuclear industry. Monitor for any access attempts to these decoy documents, which could indicate the presence of the Lazarus group or other threat actors.
Sensor Data Placement: Application
Observable Level: Core to Some Implementations of (Sub-)Technique
Scoring Rationale:
The attachment-based phishing approach is a well-established tactic used by Lazarus and other APT groups. While not all phishing attacks use attachments, the usage of a malicious document or trojanized application is common enough to be considered a core implementation of this sub-technique.
Link to Report:
Link to Report II.:
Additional Comments:
The Lazarus group’s continuous adaptation and refinement of their TTPs highlight the need for organizations to stay vigilant and proactive in their defenses. Implementing robust email security measures, user awareness training, and threat intelligence monitoring are crucial for mitigating the risk of such attacks.
Possible elements:
MSG (Pseudocode):
# Malicious Sub-Graph Standard
# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])
# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])
# Example: Lazarus Group Attack Graph
[1]: Initial Access [TA0001] - Phishing [T1566]: Spearphishing Attachment [T1566.001] - Deliver malicious archive files in phishing emails disguised as job opportunities (Core to Some Implementations of (Sub-)Technique)
[2]: Execution [TA0002] - User Execution [T1204] - Trick victim into opening malicious attachment (Lack of User Awareness)
[3]: Persistence [TA0003] - Create or Modify System Process [T1543]: Windows Service [T1543.003] - Install malware that creates a new service (Lack of System Monitoring)
[4]: Command and Control [TA0011] - Application Layer Protocol [T1071]: Web Protocols [T1071.001] - Establish communication with C2 server using HTTP (Lack of Network Monitoring)
1 --> 2
2 --> 3
3 --> 4
# Pseudocode Standard
# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]
# Example: Lazarus Group Pseudocode
function Initial_Access_Phishing(target_email):
# Craft phishing email with malicious archive file
# Send email to target_email
return malicious_attachment
function Execution_User_Execution(malicious_attachment):
# Trick user into opening malicious attachment
return malware_payload
function Persistence_Create_or_Modify_System_Process(malware_payload):
# Install malware that creates a new service
return C2_communication_module
function Command_and_Control_Application_Layer_Protocol(C2_communication_module):
# Establish HTTP connection with C2 server
return success