Name:
Threat Hunting Scenario: Lazarus Group’s Evolved Infection Chain
TTP:
T1071 Application Layer Protocol, T1547 Boot or Logon Autostart Execution, T1562 Impair Defenses, T1566 Phishing, T1082 System Information Discovery
Hypothesis:
Lazarus group actors are actively targeting specific industries with tailored spearphishing attacks, utilizing trojanized remote access tools and a complex infection chain involving multiple malware stages and C2 communication for persistent access and data exfiltration.
Campaign Type:
Intel Driven
Data Sources:
- Endpoint Security Logs (e.g., Sysmon, EDR)
- Network Traffic Logs
- Email Security Gateway Logs
- Web Proxy Logs
- Antivirus Logs
- Process Monitoring Logs
- File Integrity Monitoring Logs
Suspected TTPs:
- Social engineering via fake job opportunities targeting specific industries.
- Distribution of trojanized remote access tools (e.g., TightVNC, UltraVNC Viewer) for initial compromise.
- Use of compressed ISO files to evade detection.
- Delivery of multiple malware types, including a downloader (Ranid Downloader), loader (vnclang.dll), and backdoors (MISTPEN, RollMid, LPEClient, CookieTime, CookiePlus).
- Side-loading of malicious DLLs (e.g., vnclang.dll, libcrypto.dll).
- C2 communication using HTTP and cookie values for authentication and payload delivery.
- Use of plugin-based malware (CookiePlus) for modular functionality and extended C2 communication.
- Exploitation of legitimate services (e.g., ssh-agent) for DLL side-loading and persistence.
- Continuous downloading of additional payloads and plugins from the C2 server.
Tools:
- SIEM (e.g., Splunk, QRadar, Elastic Stack)
- EDR Solution
- Network Analysis Tools (e.g., Wireshark, tcpdump)
- Malware Analysis Sandbox
- Threat Intelligence Platform
Scenario:
-
Initial Access: Attackers initiate spearphishing campaigns with tailored job offers, delivering trojanized remote access tools (e.g., TightVNC, UltraVNC Viewer) as attachments.
-
Execution: Victims, enticed by the fake job opportunities, execute the trojanized tools, unknowingly initiating the infection chain.
-
Defense Evasion: The initial malware employs techniques like using ISO files and side-loading DLLs to evade detection by security products.
-
Persistence: Malware establishes persistence through various methods, including registry modifications, Startup folder entries, and DLL side-loading via legitimate services.
-
Command and Control: The malware establishes communication with the C2 server, often using HTTP and cookie values for authentication and data exchange.
-
Lateral Movement: Attackers leverage compromised systems to move laterally within the network, potentially using additional tools or exploiting vulnerabilities.
-
System Information Discovery: Various malware components collect system information, aiding attackers in understanding the environment and identifying valuable targets.
-
Payload Delivery: The C2 server delivers additional payloads and plugins, extending the malware’s functionality and enabling further malicious activities.
-
Data Exfiltration: Attackers exfiltrate sensitive data collected from compromised systems, potentially leading to significant financial or reputational damage.
Hunting Strategy:
-
Data Collection: Gather relevant logs and events from various sources, including endpoint security tools, network monitoring systems, email gateways, and web proxies.
-
Log Analysis: Analyze the collected data for indicators of compromise related to Lazarus group’s TTPs, such as:
- Suspicious email attachments and spearphishing attempts.
- Execution of trojanized remote access tools.
- Defense evasion techniques like ISO files and DLL side-loading.
- Persistence mechanisms involving registry keys, Startup folder, and service modifications.
- Network connections to known C2 servers.
- System information discovery commands and scripts.
- Suspicious file modifications and process injections.
-
Threat Intelligence Enrichment: Leverage threat intelligence feeds and Lazarus group-related IOCs to identify potentially malicious activity.
-
Correlation and Pattern Analysis: Correlate events from different data sources to identify patterns and anomalies indicative of Lazarus group’s attacks.
-
Investigation and Validation: Investigate suspicious events and outliers to validate potential threats and determine the extent of compromise.
-
Remediation: Isolate compromised systems, remove malware, and patch vulnerabilities to contain the attack and prevent further damage.
-
Reporting: Document findings, create comprehensive reports, and share information with relevant stakeholders to improve security posture and prevent future attacks.
False Positive Consideration:
- Legitimate use of remote access tools and system administration commands.
- Normal network traffic patterns that may resemble C2 communication.
- Benign software or scripts that exhibit similar behavior to Lazarus group’s tools.
Recommendations:
- Implement strong email security measures to detect and block spearphishing attempts.
- Educate users about social engineering tactics and the risks of fake job offers.
- Maintain up-to-date security patches and endpoint protection to prevent malware infections.
- Monitor for suspicious process execution, file modifications, and network connections.
- Utilize threat intelligence feeds and IOCs to proactively identify Lazarus group-related threats.
- Develop and test incident response plans to ensure effective handling of advanced persistent threats.
This emulation scenario is crafted from the detailed Lazarus group report you provided, focusing on their updated TTPs. It is designed to generate representative security events for your environment.
Objective:
- Emulate Lazarus group’s attack techniques to generate representative security events.
- Evaluate the effectiveness of your detection and response capabilities.
Target Techniques:
- Spearphishing Attachment [T1566]
- System Information Discovery [T1082]
- Command and Control [T1071]
- Lateral Movement [T1071]
- Defense Evasion [T1562]
- Persistence [T1547]
Environment:
- Controlled test environment mirroring your production environment.
- Security monitoring tools (SIEM, EDR) configured for event collection.
- Auditing policies enabled for relevant operating systems and applications.
Emulation Steps:
-
Initial Access:
- Craft a spearphishing email with a malicious attachment.
- Use a trojanized remote access tool (e.g., TightVNC, UltraVNC Viewer).
- Deliver the payload within a compressed ISO file.
-
Execution:
- Execute the trojanized tool to initiate the infection chain.
-
Defense Evasion:
- Employ DLL side-loading techniques (e.g., with
vnclang.dll). - Utilize obfuscation or encryption to hide malicious activity.
- Employ DLL side-loading techniques (e.g., with
-
Persistence:
- Create registry keys for persistence (e.g., in
HKCUSoftwareMicrosoftWindowsCurrentVersionRun). - Add a benign executable to the Startup folder.
- Side-load DLLs through legitimate services (e.g.,
ssh-agent).
- Create registry keys for persistence (e.g., in
-
Command and Control:
- Establish a connection to a controlled C2 server.
- Use HTTP and cookie values for C2 communication.
- Simulate data exfiltration.
-
Lateral Movement:
- Use compromised credentials or exploits for lateral movement.
- Access other systems within the test environment.
-
System Information Discovery:
- Execute commands or scripts to gather system information.
- Collect data about the OS, network, and installed software.
-
Payload Delivery:
- Deliver additional payloads or plugins from the C2 server.
- Simulate downloading and executing these payloads.
Evaluation:
- Monitor security alerts generated during the emulation.
- Analyze the effectiveness of your detection rules.
- Identify gaps in defenses and areas for improvement.
- Refine detection rules and response procedures based on the results.
Note:
- Conduct all activities in a controlled environment; do not impact production systems.
- Use benign tools and scripts to avoid damage.
- Document all steps and findings for future reference.
D3 Diagram: