The case of a Spanish aerospace firm

ESET researchers have uncovered a Lazarus assault in opposition to an aerospace firm in Spain, the place the group deployed a number of instruments, most notably a publicly undocumented backdoor we named LightlessCan. Lazarus operators obtained preliminary entry to the corporate’s community final 12 months after a profitable spearphishing marketing campaign, masquerading as a recruiter for Meta – the corporate behind Fb, Instagram, and WhatsApp.

The pretend recruiter contacted the sufferer by way of LinkedIn Messaging, a function throughout the LinkedIn skilled social networking platform, and despatched two coding challenges required as a part of a hiring course of, which the sufferer downloaded and executed on an organization machine. The primary problem is a really fundamental venture that shows the textual content “Whats up, World!”, the second prints a Fibonacci sequence – a sequence of numbers by which every quantity is the sum of the 2 previous ones. ESET Analysis was capable of reconstruct the preliminary entry steps and analyze the toolset utilized by Lazarus due to cooperation with the affected aerospace firm.

On this blogpost, we describe the tactic of infiltration and the instruments deployed throughout this Lazarus assault. We may also current a few of our findings about this assault on the Virus Bulletin convention on October 4, 2023.

Key factors of the blogpost:

• Staff of the focused firm have been contacted by a pretend recruiter by way of LinkedIn and tricked into opening a malicious executable presenting itself as a coding problem or quiz.
• We recognized 4 totally different execution chains, delivering three sorts of payloads by way of DLL side-loading .
• Probably the most notable payload is the LightlessCan backdoor, implementing strategies to hinder detection by real-time safety monitoring software program and evaluation by cybersecurity professionals; this presents a significant shift compared with its predecessor BlindingCan, a flagship HTTP(S) Lazarus RAT.
• We attribute this exercise with a excessive stage of confidence to Lazarus, significantly to its campaigns associated to Operation DreamJob.
• The ultimate objective of the assault was cyberespionage.

Lazarus delivered varied payloads to the victims’ methods; essentially the most notable is a publicly undocumented and complex distant entry trojan (RAT) that we named LightlessCan, which represents a big development in comparison with its predecessor, BlindingCan. LightlessCan mimics the functionalities of a variety of native Home windows instructions, enabling discreet execution throughout the RAT itself as a substitute of noisy console executions. This strategic shift enhances stealthiness, making detecting and analyzing the attacker’s actions more difficult.

One other mechanism used to attenuate publicity is the employment of execution guardrails; Lazarus made positive the payload can solely be decrypted on the meant sufferer’s machine. Execution guardrails are a set of protecting protocols and mechanisms carried out to safeguard the integrity and confidentiality of the payload throughout its deployment and execution, successfully stopping unauthorized decryption on unintended machines, reminiscent of these of safety researchers. We describe the implementation of this mechanism within the Execution chain 3: LightlessCan (advanced model) part.

Attribution to the Lazarus group

The Lazarus group (often known as HIDDEN COBRA) is a cyberespionage group linked to North Korea that has been lively since at the very least 2009. It’s liable for high-profile incidents reminiscent of each the Sony Footage Leisure hack and tens-of-millions-of-dollar cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, the 3CX and X_TRADER supply-chain assaults, and an extended historical past of disruptive assaults in opposition to South Korean public and significant infrastructure since at the very least 2011. The variety, quantity, and eccentricity in implementation of Lazarus campaigns outline this group, in addition to that it performs all three pillars of cybercriminal actions: cyberespionage, cybersabotage, and pursuit of monetary acquire.

Aerospace corporations aren’t an uncommon goal for North Korea-aligned superior persistent risk (APT) teams. The nation has performed a number of nuclear checks and launched intercontinental ballistic missiles, which violate United Nations (UN) Safety Council resolutions. The UN displays North Korea’s nuclear actions to stop additional growth and proliferation of nuclear weapons or weapons of mass destruction, and publishes biannual reviews monitoring such actions. In line with these reviews, North Korea-aligned APT teams assault aerospace corporations in makes an attempt to entry delicate know-how and aerospace know-how, as intercontinental ballistic missiles spend their midcourse part within the house exterior of Earth’s environment. These reviews additionally declare that cash gained from cyberattacks accounts for a portion of North Korea’s missile growth prices.

We attribute the assault in Spain to the Lazarus group, particularly to Operation DreamJob, with a excessive stage of confidence. The title for Operation DreamJob was coined in a blogpost by ClearSky from August 2020, describing a Lazarus marketing campaign focusing on protection and aerospace corporations, with the target of cyberespionage. Since then, now we have loosely used the time period to indicate varied Lazarus operations leveraging job-offering lures however not deploying instruments clearly just like these concerned in its different actions, reminiscent of Operation In(ter)ception. For instance, the marketing campaign involving instruments signed with 2 TOY GUYS certificates (see ESET Risk Report T1 2021, web page 11), and the case of Amazon-themed lures within the Netherlands and Belgium revealed in September 2022.

Our attribution is predicated on the next elements, which present a relationship largely with the beforehand talked about Amazon-themed marketing campaign:

1. Malware (the intrusion set):

• Preliminary entry was obtained by making contact by way of LinkedIn after which convincing the goal to execute malware, disguised as a take a look at, with a view to reach a hiring course of. It is a identified Lazarus tactic, used at the very least since Operation DreamJob.
• We noticed new variants of payloads that have been beforehand recognized within the Dutch case from final 12 months, reminiscent of intermediate loaders and the BlindingCan backdoor linked with Lazarus.
• A number of sorts of sturdy encryption have been leveraged within the instruments of this Lazarus marketing campaign – AES-128 and RC6 with a 256-bit key – that have been additionally used within the Amazon-themed marketing campaign.

2. Infrastructure:

• For the first-level C&C servers (listed within the Community part on the finish of this blogpost), the attackers don’t arrange their very own servers, however compromise present ones, normally these having poor safety and that host websites with uncared for upkeep. It is a typical, but weak-confidence conduct, of Lazarus.

3. Cui bono:

• Pilfering the know-how of an aerospace firm is aligned with long-term objectives manifested by Lazarus.

Preliminary entry

The group focused a number of firm workers by way of LinkedIn Messaging. Masquerading as a Meta recruiter, the attacker used a job supply lure to draw the goal’s consideration and belief; a screenshot of this dialog, which we obtained throughout our cooperation with the Spanish aerospace firm, is depicted in Determine 1.

Originally of Lazarus assaults, the unaware targets are normally satisfied to recklessly self-compromise their methods. For this function, the attackers make use of totally different methods; for instance, the goal is lured to execute an attacker-provided (and trojanized) PDF viewer to see the total content material of a job supply. Alternately, the goal is inspired to attach with a trojanized SSL/VPN shopper, being supplied with an IP deal with and login particulars. Each eventualities are described in a Microsoft blogpost revealed in September 2022. The narrative on this case was the scammer’s request to show the sufferer’s proficiency within the C++ programming language.

Two malicious executables, Quiz1.exe and Quiz2.exe, have been offered for that function and delivered by way of the Quiz1.iso and Quiz2.iso pictures hosted on a third-party cloud storage platform. Each executables are quite simple command line purposes asking for enter.

The primary one is a Whats up World venture, which is a really fundamental program, typically consisting of only a single line of code, that shows the textual content “Whats up, World!” when executed. The second prints a Fibonacci sequence as much as the most important ingredient smaller than the quantity entered as enter. A Fibonacci sequence is a sequence of numbers by which every quantity is the sum of the 2 previous ones, sometimes beginning with 0 and 1; nevertheless, on this malicious problem, the sequence begins with 1 and a couple of. Determine 2 shows instance output from the Fibonacci sequence problem. After the output is printed, each executables set off the malicious motion of putting in extra payloads from the ISO pictures onto the goal’s system. The duty for a focused developer is to grasp the logic of this system and rewrite it within the C++ programming language.

The chain of occasions that led to the preliminary compromise is sketched in Determine 3. The primary payload delivered to the goal’s system is an HTTP(S) downloader that now we have named NickelLoader. The software permits the attackers to deploy any desired program into the reminiscence of the sufferer’s laptop.

Put up-compromise toolset

As soon as NickelLoader is working on the goal’s system, the attackers use it to ship two sorts of RATs. Considered one of these RATs is already identified to be a part of the Lazarus toolkit, particularly a variant of the BlindingCan backdoor with restricted performance however an identical command processing logic. To differentiate it, we put the prefix mini- in entrance of the variant’s title. Moreover, the attackers launched a RAT not beforehand undocumented publicly, which now we have named LightlessCan.

The RATs are deployed as the ultimate step of chains of levels with various ranges of complexity and are preceded by helper executables, like droppers and loaders. We denote an executable as a dropper if it incorporates an embedded payload, even when it’s not dropped onto the file system however as a substitute loaded immediately into reminiscence and executed. Malware that doesn’t have an encrypted embedded knowledge array, however that hundreds a payload from the file system, we denote as a loader.

Apart from the preliminary quiz-related lures, Desk 1 summarizes the executable recordsdata (EXEs) and dynamic hyperlink libraries (DLLs) delivered to the sufferer’s system. All of the malware samples within the third column are trojanized open-source purposes (see the fourth column for the underlying venture), with a reliable executable side-loading a malicious DLL. For instance, the malicious mscoree.dll is a trojanized model of the reliable NppyPluginDll; the DLL incorporates an embedded NickelLoader and is loaded by a reliable PresentationHost.exe, each situated within the C:ProgramShared listing.

Desk 1. Abstract of binaries concerned within the assault

Probably the most important replace is mimicked performance of many native Home windows instructions like ping, ipconfig, systeminfo, sc, internet, and many others. The hardcoded string “The operation accomplished efficiently.”, the usual system message for the ERROR_SUCCESS consequence, introduced us to that concept. Desk 2 incorporates a listing of these instructions which can be carried out in LightlessCan. In beforehand reported Lazarus assaults, as documented in blogposts by Optimistic Applied sciences in April 2021 and HvS Consulting in December 2020, these native instructions are sometimes executed in lots of situations after the attackers have gotten a foothold within the goal’s system. Nonetheless, on this case, these instructions are executed discreetly throughout the RAT itself, quite than being executed visibly within the system console. This method gives a big benefit when it comes to stealthiness, each in evading real-time monitoring options like EDRs, and postmortem digital forensic instruments. The interior model quantity (1.0) signifies that this represents a brand new growth effort by the attackers.

Because the core utilities of Home windows are proprietary and never open-source, the builders of LightlessCan confronted a alternative: both to reverse engineer the closed-source system binaries or to get impressed by the code obtainable by way of the Wine venture, the place many applications are rewritten with a view to mimic their execution on different platforms like Linux, macOS, or ChromeOS. We’re inclined to consider the builders selected the primary possibility, because the corresponding Wine applications they mimicked in LightlessCan have been carried out somewhat bit in another way or under no circumstances (e.g., netsh).

Curiously, in one of many instances we analyzed, the LightlessCan payload is saved in an encrypted file on the compromised machine, which may solely be decrypted utilizing an environment-dependent key. Extra particulars about this may be discovered within the Execution chain 3: LightlessCan (advanced model) part. That is to make sure that the payload can solely be decrypted on the pc of the meant sufferer and never, for instance, on a tool of a safety researcher.

Desk 2. The checklist of LightlessCan instructions mimicking these for Home windows immediate

Moreover, an examination of the RAT’s inside configuration means that, compared to BlindingCan, Lazarus elevated the code sophistication in LightlessCan.

Technical evaluation

On this part, we offer technical particulars in regards to the compromise chain that delivers the NickelLoader downloader, and the three execution chains Lazarus used to ship its payloads on the compromised system.

Compromise chain: NickelLoader

NickelLoader is an HTTP(S) downloader executed on the compromised system by way of DLL side-loading, which is later used to ship different Lazarus payloads.

The method of delivering NickelLoader unfolds in a sequence of levels, commencing with the execution of PresentationHost.exe, which is triggered routinely after the goal manually executes the preliminary quiz challenges; the Quiz1 case is depicted in Determine 3. A malicious dynamically linked library, mscoree.dll, is then side-loaded by the reliable PresentationHost.exe – each situated in C:ProgramShared. This DLL is a trojanized NppyPluginDll.dll, from the inactive Normal Python Plugins DLL for Notepad++ venture from 2011. It serves as a dropper and has varied exports: all of the exports copied from the unique NppyPluginDll.dll plus all of the exports from the reliable mscoree.dll. Considered one of these reliable exports, CorExitProcess, incorporates the malicious code liable for the decryption and execution of the subsequent malware stage.

To efficiently decrypt an encrypted knowledge array embedded within the dropper, three 16-character-long key phrases are required by the dropper. These key phrases are as follows:

1. the title of the dad or mum course of (PresentationHost),
2. the inner parameter hardcoded within the binary (9zCnQP6o78753qg8), and
3. the exterior parameter handed on the command line (?embeddingObject), which is inherited from the dad or mum means of PresentationHost.exe, being offered by Quiz1.exe or Quiz2.exe.

The key phrases are XOR-ed byte by byte and the output types the AES-128 decryption key.

The payload is an HTTP(S) downloader that acknowledges 4 instructions, all 5 letters lengthy, proven in Desk 3. Due to these 5 letter instructions, we selected to call this payload “NickelLoader”, drawing inspiration from the colloquial time period for the US five-cent coin – a nickel. A very powerful instructions are avdrq and gabnc. When these instructions are issued, every of them hundreds knowledge obtained from the C&C server as a DLL. For this function, the attackers most likely used MemoryModule, a library that can be utilized to load a DLL fully from reminiscence.

Desk 3. The checklist of magic key phrases acknowledged in obtained buffers

Execution chain 1: miniBlindingCan

One of many payloads downloaded and executed by NickelLoader is miniBlindingCan, a simplified model of the group’s flagship BlindingCan RAT. It was reported for the primary time by Mandiant in September 2022, below the title AIRDRY.V2.

To load miniBlindingCan, a 64-bit malicious dynamically linked library colorui.dll is side-loaded by a reliable colorcpl.exe executed from C:ProgramDataAdobe and serves as a dropper. The DLL is obfuscated utilizing VMProtect and incorporates hundreds of exports from which LaunchColorCpl is an important, because it handles the execution of the subsequent stage. There’s an encrypted knowledge array within the DLL’s dumped physique, along with a number of debug symbols revealing the basis listing and the venture from which it was constructed:

W:DevelopaToolShellCodeLoaderApplibressl-2.6.5

Because the title ShellCodeLoader suggests, the primary function of this preliminary stage is to decrypt and cargo the information array from its physique, which incorporates shellcode. Originally of its execution, ShellCodeLoader employs anti-debugging strategies by inspecting the BeingDebugged worth throughout the Course of Setting Block (PEB) construction to find out if it’s being scrutinized or analyzed by debugging instruments, and makes use of anti-sandbox strategies to keep away from detection inside sandboxed environments designed for safety evaluation. The malware additionally explicitly checks whether or not its dad or mum course of is colorcpl.exe; if not, it exits instantly.

The decrypted knowledge array isn’t a whole DLL, however types an intermediate blob with two elements: shellcode adopted by one other encrypted knowledge array, which represents the final step of the chain. The shellcode appears to be produced by an occasion of the open-source venture ShellcodeRDI – specifically, the ShellcodeRDI.c code. It was most likely produced by executing the Python script ConvertToShellcode.py from this venture on a payload DLL appearing as a supply for reflective DLL injection.

The ultimate payload is extracted and decrypted utilizing XOR with an extended key, which is a string constructed by concatenating the title of the dad or mum course of (colorcpl.exe), the filename of the dropper (colorui.dll), and the exterior command line parameter – on this case leading to COLORCPL.EXECOLORUI.DLL669498484488D3F22712CC5BACA6B7A7. This course of is akin to what we noticed with BlindingCan backdoor within the Dutch case we beforehand described in this WeLiveSecurity blogpost. The decryption reveals an executable with download-and-execute performance, whose inside logic of sending and parsing instructions is strongly harking back to BlindingCan, a flagship HTTP(S) Lazarus RAT. Not like the case within the Netherlands, it isn’t VMProtect-ed and it helps solely a small subset of instructions obtainable beforehand: evaluate Desk 4in this blogpost and Desk 3 within the blogpost on the Dutch case from September 2022. As a result of the options of this RAT are notably scaled down in comparison with these in BlindingCan, and but they appear to share the identical server-side infrastructure, now we have chosen to tell apart it by appending the prefix “mini-“ to its title, highlighting its diminished performance in comparison with its fully-featured RAT counterpart.

Desk 4. Instructions of miniBlindingCan

Determine 11 exhibits the decrypted state of a 9,392-byte-long configuration embedded within the RAT. It incorporates 5 URLs, on this case compromised web sites, every restricted by a most measurement of 260 extensive characters.

Execution chain 2: LightlessCan (easy model)

One other payload now we have seen executed by NickelLoader is LightlessCan, a brand new Lazarus backdoor. We have now noticed two totally different chains loading this backdoor.

Within the easy model of the chain, the dropper of this payload is the malicious dynamically linked library mapistub.dll that’s side-loaded by the reliable fixmapi.exe executed from C:ProgramDataOracleJava. The DLL is a trojanized Lua plugin, model 1.4, with all of the exports copied from the reliable Home windows mapi32.dll. The export FixMAPI incorporates malicious code liable for decrypting and loading the subsequent stage; all the opposite exports comprise benign code sourced from a publicly obtainable MineSweeper pattern venture. This mapistub.dll dropper has persistence established by way of a scheduled activity. Sadly, we lack extra particulars about this activity, besides that its dad or mum course of seems as %WINDOWSpercentsystem32svchost.exe -k netsvcs -p -s Schedule.

To efficiently decrypt the embedded knowledge array, the dropper wants three key phrases to be offered appropriately:

1. the title of the dad or mum course of (fixmapi.exe),
2. the inner parameter hardcoded within the binary (IP7pdINfE9uMz63n), and
3. the exterior parameter handed within the command line (AudioEndpointBuilder).

The key phrases are XOR-ed byte by byte and the output types a 128-bit AES key for use for decryption. Observe that the size of the key phrases aren’t all precisely 16 bytes, however the decryption course of will nonetheless work if the outsized string is truncated to a 16-byte size (for example, AudioEndpointBuilder to AudioEndpointBui), and the undersized string, fixmapi.exe, is handled as fixmapi.exex00x00x00x00x00, as a result of the string was initialized as 260 situations of the NUL character.

Execution chain 3: LightlessCan (advanced model)

Probably the most advanced chain we noticed on the compromised system additionally delivers LightlessCan, with varied elements concerned within the full chain of set up levels: a reliable software, an preliminary dropper, a whole dropper (which incorporates the configuration), an intermediate dropper, a configuration file, a file with system data (for the decryption of encrypted payloads on the file system), an intermediate loader and the ultimate step, the LightlessCan RAT. The connections and relationships amongst these recordsdata are illustrated in Determine 12.

The preliminary dropper of the fourth chain is a malicious dynamically linked library HID.dll that’s side-loaded by a reliable executable, tabcal.exe, executed from C:ProgramDataAdobeARM. The DLL is a trojanized model of MZC8051.dll, a reliable file from the 8051 C compiler plugin venture for Notepad++. It incorporates all of the exports from the unique venture, but in addition the mandatory exports from the reliable Hid Person Library by Microsoft, in order that the side-loading by tabcal.exe might be profitable. The export HidD_GetHidGuid incorporates the malicious code liable for dropping the subsequent stage and, as within the case of the dropper of the earlier chain (Execution chain 2), all the opposite exports comprise the benign MineSweeper code.

As within the earlier instances, three lengthy key phrases have to be offered to decrypt the embedded payload:

1. the title of the dad or mum course of (tabcal.exe),
2. the inner parameter hardcoded within the binary (9zCnQP6o78753qg8), and
3. the exterior parameter (LocalServiceNetworkRestricted) – this time not expressed as a command line parameter, however as a substitute because the content material of a file situated at %WINDOWSpercentsystem32thumbs.db.

Once more, the key phrases are XOR-ed byte by byte and the output types a 128-bit AES key for use for the decryption. As within the earlier case, the lengths of the key phrases aren’t all precisely 16 bytes, however the decryption will nonetheless work if the outsized string is truncated (for example, to LocalServiceNetw) and the undersized string is prolonged with nulls (for example, to tabcal.exex00x00x00x00x00x00).

The executable produced by the above recipe is the entire dropper from Determine 12 and has the InternalName useful resource AppResolver.dll (discovered within the VERSIONINFO useful resource). It incorporates two encrypted knowledge arrays: a small one in every of 126 bytes, and a big one in every of 1,807,464 bytes (which incorporates three subparts). First, it decrypts the small array utilizing the RC6 algorithm with the hardcoded 256-bit key DA 48 A3 14 8D BF E2 D2 EF 91 12 11 FF 75 59 A3 E1 6E A0 64 B8 78 89 77 A0 37 91 58 5A FF FF 07. The output represents paths to which the primary two subparts of the big blob are dropped (i.e., LightlessCan and the intermediate dropper), and yields the strings C:windowssystem32oci.dll and C:windowssystem32grpedit.dat.

Subsequent, it continues with decrypting the second knowledge array – the big blob – utilizing the identical encryption key as earlier than. The result’s a decrypted blob containing three subparts: a DLL akin to grpedit.dat (LightlessCan), a DLL akin to oci.dll (the intermediate dropper), and a 14,948 byte encrypted file dropped to %WINDOWSpercentSystem32wlansvc.cpl (configuration); as depicted in Determine 13.

Furthermore, the entire dropper additionally shops a number of traits figuring out the compromised system within the file %WINDOWSpercentSystem324F59FB87DF2F, whose title is hardcoded within the binary. These traits are primarily retrieved from the ComputerHKLMHARDWAREDESCRIPTIONSystemBIOS registry path. Listed here are the precise values of those traits, together with a PowerShell command offered in brackets that can be utilized to show the corresponding worth on any Home windows machine:

• SystemBIOSDate (Get-ItemProperty “HKLM:HARDWAREDescriptionSystemBIOS” -Title BIOSReleaseDate | Choose-Object -Property BIOSReleaseDate)
• SystemBIOSVersion (Get-CimInstance -ClassName Win32_Bios | Choose-Object -Property Model)
• SystemManufacturer (Get-CimInstance -ClassName Win32_ComputerSystem | Choose-Object -Property Producer)
• SystemProductName (Get-CimInstance -ClassName Win32_ComputerSystemProduct | Choose-Object -Property Title)
• Identifier in ComputerHKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemMultifunctionAdapterDiskControllerDiskPeripheral

The concatenation of the values is required for decryption of the encrypted grpedit.dat from the file system. On a take a look at machine working a picture of Home windows 10 on VMWare, the output might be:

11/12/20INTEL – 6040000VMware, Inc.VMware Digital Platform656ba047-20b25a2a-A

The oci.dll file is one other dropping layer – the intermediate dropper that drops the intermediate loader, which is a payload just like the one described within the beforehand talked about Dutch case. Once more, the attackers used an open-source venture, the Flashing Tip plugin for Notepad++, which is now not obtainable on-line. Not like the earlier instances, solely two lengthy key phrases have to be offered with a view to decrypt the embedded payload efficiently utilizing AES-128:

1. the title of the dad or mum course of (msdtc.exe), and
2. the inner parameter hardcoded within the binary (fb5XPNCr8v83Y85P).

Each key phrases are XOR-ed byte by byte (the dad or mum course of title is truncated, or padded with NULLs, as essential to fill 16 bytes). The product of the decryption is the intermediate loader (LLTMapperAPI.dll). It makes use of the system data (similar because the values saved in 4F59FB87DF2F) to decrypt the configuration file wlansvc.cpl and to find, decrypt, and cargo the encrypted grpedit.dat, which is LightlessCan, the brand new full-featured RAT.

Conclusion

We have now described a brand new Lazarus assault that originated on LinkedIn the place pretend recruiters approached their potential victims, who have been utilizing company computer systems for private functions. Though public consciousness of these kinds of assaults ought to be excessive, the success charges of those campaigns have nonetheless not dropped to zero.

Probably the most worrying facet of the assault is the brand new sort of payload, LightlessCan, a fancy and presumably evolving software that displays a excessive stage of sophistication in its design and operation, representing a big development in malicious capabilities in comparison with its predecessor, BlindingCan.

The attackers can now considerably restrict the execution traces of their favourite Home windows command line applications which can be closely used of their post-compromise exercise. This maneuver has far-reaching implications, impacting the effectiveness of each real-time monitoring options and of autopsy digital forensic instruments.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis gives personal APT intelligence reviews and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.

IoCs

Information

Community

MITRE ATT&CK strategies

This desk was constructed utilizing model 13 of the MITRE ATT&CK framework.

References

[1] Microsoft Safety Risk Intelligence, “ZINC weaponizing open-source software program,” 29 September 2022. [Online].

[2] D. Breitenbacher and O. Kaspars, “Operation In(ter)ception: Aerospace and army corporations within the crosshairs of cyberspies,” June 2020. [Online].

[3] HvS-Consulting AG, “Greetings from Lazarus: Anatomy of a cyber-espionage marketing campaign,” 15 December 2020. [Online].

[4] Optimistic Applied sciences Skilled Safety Middle, “Lazarus Group Recruitment: Risk Hunters vs Head Hunters,” Optimistic Applied sciences, 27 April 2021. [Online].

[5] P. Kálnai, “Amazon-themed campaigns of Lazarus within the Netherlands,” 30 September 2022. [Online].

[6] P. Kálnai, “Lazarus campaigns and backdoors in 2022-2023,” in Virus Bulletin Worldwide Convention, London, 2023. 

[7] A. Martin, “Sony Footage hacking traced to Thai resort as North Korea denies involvement,” WeLiveSecurity.com, 08 December 2014. [Online].

[8] P. Kálnai and M.-É. M.Leveillé, “Linux malware strengthens hyperlinks between Lazarus and the 3CX provide chain assault,” ESET, 20 April 2023. [Online].

[9] Protection Intelligence Company, North Korea army energy : a rising regional and international risk, Washington, D.C.: U.S. Authorities Publishing Workplace, 2021, p. 98.

[10] UN Panel of Consultants, “UN Safety Council Resolutions,” 1993-2023. [Online].

[11] ESET Editor, “WannaCryptor aka WannaCry: Key questions answered,” WeLiveSecurity.com, 15 Could 2017. [Online].

[12] Safety Council Committee, “Sanctions Committee (DPRK), Panel of Consultants, Stories,” United Nations Safety Council, 2010-2023. [Online].

[13] ClearSky Analysis Group, “Operation ‘Dream Job’ Widespread North Korean Espionage Marketing campaign,” 13 August 2020. [Online].

[14] ESET Analysis, “Risk Report T1 2022,” ESET, June 2022. [Online]. 

[15] D. Staples, “An Improved Reflective DLL Injection Approach,” 30 January 2015. [Online].

[16] J. Maclachlan, M. Potaczek, N. Isakovic, M. Williams and Y. Gupta, “It is Time to PuTTY! DPRK Job Alternative Phishing by way of WhatsApp,” Mandiant, 14 September 2022. [Online].

[17] S. Tomonaga, “Home windows Instructions Abused by Attackers,” JPCERT/CC, 26 January 2016. [Online].