Who's your favorite baddy?

Or how I broke the curse of a German Eurodisco pop band.

Who's your favorite baddy?
The Supreme Leader, seen here showing off his latest Minecraft build.

During a recent Antisyphon Training session, Wade Wells, San Diegan cybersecurity professional and mustache connoisseur, remarked that one of the best interview questions he’s had was, “Who’s your favorite threat actor?” The question is an excellent gauge of an individual’s interest in cybersecurity since a more in-depth answer demonstrates time spent studying the subject.

Reflecting on this, I immediately thought of one threat actor: The Lazarus Group. What I could not immediately articulate, however, was the ‘why.’ So, I set out on a side quest of self-discovery to highlight why the Lazarus Group tops my Advanced Persistent Threats (APTs) list.

Every Villain Has an Origin Story

The story of the Lazarus group starts in a decrepit factory in Gotham City. A fateful night, a chance meeting with a dark avenger, and, boom, the birth of one of the world’s premier hacking groups. Admittedly, I’m using my counterfeit creative license on that one. However, much like the Joker’s origin story, no one is entirely sure about all of the details. Most agree the group began its ne’er do well campaigns in 2009. A North Korean state-sponsored group organized under the Reconnaissance General Bureau (RGB), its members are 100% lab-grown hackers, raised from birth on a steady diet of calculus, software engineering, and Red Bulls. Security researchers refer to the group by several names depending on who is doing the reporting. MITRE lists their aliases as:

  • Labyrinth Chollima
  • Dschinghis Khan
  • HIDDEN COBRA
  • Guardians of Peace
  • ZINC
  • DIAMOND SLEET
  • NICKEL ACADEMY
  • Whois Team
  • APT38
  • Gods Apostles
  • Gods Disciples
  • Gods Brother-in-Law
  • Stardust Chollima
  • Martian Cholera
  • BeagleBoyz
  • Bluenoroff
  • Andariel
  • UNC4736

Surprisingly, only three of those are made up. Some of these aliases refer to subgroups within the larger Lazarus Group umbrella, which I find hilarious. I can imagine how North Korean water cooler conversations go.

“How’s it been at Bluenoroff?”
“Better than being at BeagleBoyz. They laid off the whole division after Operation Troy.”
“Laid off? You mean executed?”
“Yeah, they’re dead.”

Lazarus at The Apollo: The Remastered Greatest Hits Album

Over the years, the Lazarus Group earned its notoriety following several high-visibility campaigns. In each, the organization used a combination of social engineering and sophisticated tools to achieve its goals. Some of their more famous hacks include:

  • Operation Troy — In 2013, the group targeted three South Korean banks and two television companies during annual U.S.-South Korean military exercises, wiping tens of thousands of hard drives. Lazarus Group gained initial entry into the target systems at least two months before initiating attacks. Two groups claimed responsibility, the NewRomanic Cyber Army Team and The Whois Hacking Team, though it is suspected that the Lazarus Group fabricated the names to muddy attribution.
  • Sony Pictures Breach — The 2014 hack of Sony Pictures arguably put the Lazarus Group on the map. Researchers believe the attack was in response to the release of “The Interview,” a comedy movie about a famed interviewer approached with the task to assassinate Kim Jong Un. The group employed a particularly nasty malware that would destroy all data on a server and use Windows features to help it propagate. Once the malware contacted its C2 server, it would begin wiping all data on the host drives. The group likely had in-depth knowledge of Sony’s network well before the attack started, as post-incident analysis revealed the malware included hard-coded names of Sony’s servers.
  • WannaCry — In May 2017, a ransomware attack known as WannaCry 2.0 hit ~230,000 systems globally, causing particular damage to the U.K.’s National Health Service. The Lazarus group used a leaked NSA tool, EternalBlue, and had it do the ‘fusion dance’ with typical malware to create an overpowered Gogeta-like worm. Although initially launched via e-mail spam, the worm required no user interaction thanks to EternalBlue, which allowed it to propagate uninhibited.
  • The Lazarus Heist — In 2016, the group attempted an audacious heist of the Bangladesh Bank, the country’s central bank. The multi-phase heist included social engineering tactics to gain initial entry to the bank’s network. The group then persisted for a year within the network, using the time to understand the environment and make preparations for laundering the money. They timed the attack to align with a national holiday weekend and used the difference in time zones to give them the greatest window of opportunity. When the opportunity came, the group initiated 35 funds transfers valued at over $951 million, just about every cent in the bank. Not all of the money made it to their laundering accounts in Manila, Philippines, but the group managed to launder $81 million that made its way to North Korea.

Like other APTs, their crimes are often politically motivated, focusing on espionage or cyberwarfare. In late 2020, the group targeted security researchers by posing as researchers themselves, creating blogs and social media posts discussing their field, and reaching out to victims with offers of collaborating on research projects. However, the group has become a significant source of income for the Kim regime (crime is literally government policy). Cryptocurrency theft has become one of their primary efforts, and they’ve successfully extracted millions on more than one occasion. North Korean hackers have allegedly stolen over $2.2 billion since 2018. The group is also known for its supply chain attacks, in one case inserting malicious code into a legitimate multimedia app.


Choose Your Weapon

The Lazarus Group employs various tools and techniques to compromise target networks. MITRE has compiled a substantial list of tools used by the group in previous campaigns. The group will use everything from compromised passwords to social engineering and watering hole attacks for initial entry. Once they’ve secured a beachhead within the target network, they will lay low, sometimes for months, before executing the attack.

Butch Johnson - image - americandad - Reddit

Gaining entry is often accomplished by tricking users into downloading malicious files. These generally come in the form of a remote access trojan (RAT), a nasty type of malware that can communicate with a command and control server and download additional capabilities to avoid detection, erase logs, or exfiltrate data. Of course, simply downloading a malicious file isn’t enough to gain solid entry into a system. Anti-malware software can scan for files for known malware types, and intrusion detection systems could identify suspicious activity on the network. To counter these security measures, threat actors will use multi-stage payloads and exploit processes so the malware lives in system memory and not on a storage drive. During Operation Dream Job, the Lazarus Group used a comical amount of stages to avoid detection and gain access to their target. Below, I’ve listed a summary of the attack stages.

  1. Trick target user into downloading an ISO file that contains the malicious files, amazon.vnc, version.dll, and aws.cfg.
  2. amazon.vnc sideloads version.dll.
  3. version.dll spawns a new process and injects aws.cfg.
  4. Re-watch Game of Thrones.
  5. aws.cfg downloads shellcode from a hijacked website.
  6. The shellcode launches Rollfling.
  7. Rollfling retrieves Rollsling.
  8. Make a bagel with cream cheese.
  9. Rollsling (executing from memory) pulls Rollmid.
  10. Rollmid calls a C2 server for the IP address of a second C2 server.
  11. Rollmid then calls the second C2 server and downloads an image file secretly containing the IP address to a third C2 server.
  12. Remember how poorly Game of Thrones ended.
  13. Rollmid calls the third C2 server to download KaolinRAT, named after a scrapped Disney movie about a martial arts rodent from Ohio.
  14. KaolinRAT calls a fourth C2 server and deploys a rootkit.
  15. The RAT continues additional actions, allowing it to persist and execute commands.

So, why the Lazarus Group?

North Korea is not in a good place, thanks to the iron-clad grip of its government. It ranks amongst the poorest in the world. Everything about the country, from industry and commerce to the availability of modern amenities, lags behind just about every other country on the planet. As much as it invests in its military, it still lacks many modern capabilities, and its aging weapons inventory is only getting worse. Despite the challenges stemming from its ongoing policy of isolationism, the country continues to be at the forefront in one area: the cyber domain.

The Lazarus Group has demonstrated to the world that the country is far more capable than it appears at first glance. Perhaps not as technologically advanced as other APTs, there is no denying the group poses a legitimate threat that we should not underestimate. North Korean hackers are dedicated to their cause and willing to break any rule to achieve their aims, which include literally funding their homeland with stolen money. As AI advances and becomes more commonplace, we can expect North Korea to leverage it to overcome its disadvantages further (it’s happening already). The Lazarus Group’s accomplishments are admirable, considering the conditions its members face. In my opinion, it is the perfect environment to spawn more chaos we don’t need.