How the Lazarus Group Targets Fintech

The threat actor primarily used phishing to gain credentials of user accounts at target businesses. The phishing quality was relatively high compared to other phishing activities we observe, suggesting the threat actor had invested considerable time to maximize their chances of success. If you want to learn more about various phishing techniques, check out this blog post.

We uncovered technical artifacts that indicated that the threat actor could circumvent two-factor authentication by stealing session tokens. This technique manifested itself as a legitimate user login, including two-factor authentication followed shortly after that by another successful login from a different IP address that skipped the two-factor authentication by presenting the valid session token from the first login. Our findings include previously unreported tools for stealing session tokens from web browsers, which we believe the threat actor used for this two-factor authentication bypass.

In one case, a personal device running Windows 10, not managed by the victim business, appears to have been used as a staging point for the session token and user credential theft mentioned earlier. The personal device was out of scope of our investigation due to privacy concerns, so we have not been able to determine whether that was part of an elaborate plan of attack or merely a coincidental non-targeted infection the threat actor was able to leverage. 

We observed two noteworthy privilege escalation techniques in this campaign.

We found traces indicating the threat actor achieved privilege escalation through DLL hijacking on Windows hosts. The threat actor applied a combination of the IKEEXT service and the VIAGLT64.SYS driver, which is known to be vulnerable, as noted in CVE-2017-16237.

The threat actor also modified the registry on Windows systems to enable the WDigest authentication provider, causing passwords to be stored in memory in plaintext form, making it easier to harvest those credentials.

We observed the threat actor using two common persistence techniques. The first was the creation of scheduled tasks to execute malicious binaries at regular intervals. The second was the configuration of Windows hosts to start compromised services at each system restart automatically.

The threat actor used several custom Remote Access Trojans (RATs) to perform activities on compromised hosts. The RATs that we analyzed all appeared to be members of a cross-platform malware family, indicated by their large functional overlap, code similarities, and nonfunctional code remnants after porting from one operating system to another.

The RATs implement a command-and-control protocol similar to one we uncovered during an unrelated campaign we attributed to Lazarus in 2016. They use HTTPS as a base communication channel and add an extra layer of custom encryption.

We found command-and-control commands showing that the attackers were actively browsing folders and retrieving files, including network security information. We used Windows’ system resource utilization monitor (SRUM) to identify the activity of malicious binaries. SRUM tracks network usage of processes, among other things. SRUM does not seem to be used often by incident response teams, but with this tool, we could determine connections to the attackers’ identified command and control hosts and the amount of data sent and received.

One of the most challenging things in cybersecurity is to detect precisely what data has been copied and siphoned off; after all, nothing has disappeared. It is also impossible to say with certainty what the attackers were after. As indicated, we also had to assume in some cases what the threat actor had done to penetrate certain defenses.  

The attackers’ goal remains unclear. Some of the businesses affected by this Lazarus campaign are active in cryptocurrency trading, so it may be possible that the attackers were after crypto assets. However, our investigation did not reveal any evidence of this.

Another possibility is that they wanted to steal the targets’ trading algorithms. However, our investigation found no clues of that either, and we have never been able to link Lazarus to crypto market manipulation. The question, moreover, is how those trading algorithms would help Lazarus - or, more broadly, North Korea. After all, Lazarus would have to work through third parties to be able to manipulate trades. The crypto markets are large, the algorithms are relatively generic, and the effects of manipulation would probably be small. 

In this case, it is also conceivable that Lazarus could have siphoned off data about the target businesses’ networks. For example, data about what equipment is running and which vendors provide the equipment. This might be valuable information if the attackers want to come back at a later stage, for example if they think that the business in question will engage in interesting crypto activities in the future.