A collaborative cross-industry operation called Operation Blockbuster led by analytics firm Novetta has targeted the hackers that go by the name Lazarus. Symantec has been tracking attacks associated with Lazarus since 2009 and has linked Lazarus to a wide range of incidents, several of which involved highly destructive malware. It appears to be particularly focused on targets in the US and South Korea.
The other participants include Carbon Black, Risk IQ, Trend Micro, Volexity, Threat Connect, PunchCyber, Kaspersky Lab, Invincea and AlienVault. Its preliminary report can be downloaded here.
Operation Blockbuster involves intelligence and resource sharing to assist commercial and government organizations protect themselves against Lazarus. As part of the initiative, vendors will circulate malware signatures and other useful intelligence related to these attackers.
Lazarus has been active since at least 2009 and is a well-resourced adversary, capable of mounting cyberespionage operations in addition to high-profile destructive attacks. Operation Blockbuster has stated that Lazarus was likely government-backed but it stopped short of endorsing the official US view that North Korea was to blame.
Trail of destruction
Lazarus has been linked to a series of attacks since 2009. Symantec has observed commonalities between multiple targeted campaigns it may have been involved with. Lazarus is notable for its use of aggressive and destructive tactics, such as the use of disk-wiping malware, to cause maximum disruption to its targets.
One of the earliest Lazarus attacks was a Distributed Denial of Service (DDoS) attack that knocked a number of US and South Korean websites offline. A Trojan known as Dozer (detected by Symantec asTrojan.Dozer) mounted the DDoS attacks using computers it had previously compromised. Dozer was spread through emails in a campaign involving a number of worms (detected as W32.Dozer, [email protected]>, andW32.Mytob!gen).
A similar wave of DDoS attacks hit South Korean websites in 2011, this time involving more destructive malware known as Trojan.Koredos. The Koredos Trojan not only used the infected computer to mount DDoS attacks; it also wiped the computer after a short period of time. Upon infection, the Trojan scanned for a number of different file types and copied them into an inaccessible encrypted .cab file before deleting the originals. A number of files that the Trojan searched for were related to software predominantly used in Korea (e.g. .alz, .gul, and .hwp). After this, the Trojan delivered the coup de grâce by deleting the master boot record (MBR) on all connected drives between 7 and 10 days after the initial infection. This resulted in Windows being unable to restart, effectively rending the computer unusable.
Lazarus was also linked to a series of destructive attacks against a number of South Korean corporations in 2013. Banks, broadcasters, and telecoms companies were among those affected. The attacks were reported to have compromised the targets’ servers with a disk-wiping Trojan (detected by Symantec as Trojan.Jokra). In addition to this, one telecoms firm had its website defaced with an animated image of skulls and a message from the alleged attackers, who called themselves the “Whois” team.
Aggressive attacks linked to Lazarus continued in 2014 and the group was linked to Backdoor.Destover, a highly destructive Trojan that was the subject of an FBI warning after it was used in an attack against Sony Pictures Entertainment. The FBI concluded that the North Korean government was responsible for this attack.
Although used against US targets, Destover shared several links to earlier attacks directed at targets in South Korea. Some samples of Destover reported to a command and control (C&C) server that was also used by a version of Trojan.Volgmer, which was crafted to attack South Korean targets. The shared C&C server indicated that the same group may have been behind both attacks. An updated version of this malware (detected asTrojan.Volgmer.B) has been used in more recent attacks against large South Korean companies.
Some of the most recent activity linked to Lazarus involved a Trojan detected as Backdoor.Duuzer. Although detected in a range of locations, one of the threat’s targets was the South Korean manufacturing industry. Duuzer’s main function appears to be cyberespionage. The Trojan provides attackers with remote access to the compromised computer, and allows them to download additional files and steal data.
There was also some evidence to suggest that the attackers behind Duuzer were spreading two other threats, detected as W32.Brambul and Backdoor.Joanap, to target more organizations in South Korea. Both pieces of malware appear to be designed to download extra payloads and carry out reconnaissance on infected computers.
Ongoing vigilance required
Attacks associated with Lazarus have frequently been highly destructive. Aside from the level of aggression displayed, Lazarus is notable for the range of tools used and the fact that it is linked to destructive attacks and lower-profile, espionage operations.
By pooling together respective insights into Lazarus, Symantec and other members of the Operation Blockbuster team hopes to strike a blow to this group while ensuring that our customers have robust protection against its tools.