Since two years ago (March 2021), the Lazarus group’s malware strains have been found in various Korean companies related to national defense, satellites, software, media press, etc. As such, ASEC (AhnLab Security Emergency Response Center) has been pursuing and analyzing the Lazarus threat group’s activities and related malware.
The affected company in this case had been infiltrated by the Lazarus group in May 2022 and was re-infiltrated recently through the same software’s 0-Day vulnerability. During the infiltration in May 2022, the affected company was using a vulnerable version of a certificate program that was commonly used by public institutions and universities. After the incident, they updated all of their software to their latest versions. However, the Lazarus group used the software’s 0-Day vulnerability to carry out their infiltration this time.
We at ASEC filed a report regarding the software in question to KISA, but since the vulnerability has not been fully verified yet and a software patch has not been released, we will be omitting the manufacturer and software from this post.
The team has also analyzed other cases, but putting the several incidents that have not been disclosed yet together, we can conclude that the Lazarus group is researching the vulnerabilities of various other software and are constantly changing their TTP by altering the way they disable security products and carry out anti-forensic techniques to interfere or delay detection and analysis in order to infiltrate Korean institutions and companies.
This report is based on the forensics report from an affected client company. This report was written back in January, but it had been delayed due to issues with the software’s vulnerability patch. Thus, we decided to make this post after having anonymized the software information. Once the software patch becomes available, we intend to reupload this report with the updated information.
Case Overview
| CATEGORY | DESCRIPTION |
| Incident Duration | 10/21/2022 – 11/18/2022 |
| Client Type | Financial Business |
| Affected OS | Windows 10 |
| Damage Status | Backdoor infection and C2 communication |
| Attack Type |
|
| Threat Actor | Lazarus |
| Case Tags | #Lazarus #skypeserver.exe #0-day #rootkit #BYOVD |
Figure. Infiltration flowchart
What Can Be Learned from this Case
- The threat actor exploited the 0-Day vulnerability of a certificate software that is commonly used in Korea. Since these types of software are not updated automatically, they must be manually patched to the latest version or deleted if unused.
- The threat actor used the BYOVD method that exploits vulnerable driver kernel modules to disable security products.
- Additionally, they would perform anti-forensic techniques to hide their malicious behaviors by either changing filenames before deleting them or modifying time stamps.
- The affected company was re-infiltrated by the same threat actor with a similar method. Instead of taking only post-attack measures, continuous monitoring is required to prevent recurrences.
Case Details
Summary of Analysis Results
The team analyzed two PCs provided by the client company and confirmed that the threat actor had performed a lateral movement attack on PC01 and PC02 using the certificate software’s vulnerability. On October 21st, PC02 was attacked by an unconfirmed internal system. Later on, PC02 attacked PC01 on November 18. Seeing how the latest version of the certificate software was installed on both PC01 and PC02, it can be inferred that the threat actor exploited the 0-Day vulnerability. Additionally, a different method from preexisting ones was used to disable V3 on both PC01 and PC02 on November 18th.
The lateral movement attack received by the system that was analyzed this time was unrelated to the threat actor’s first attack. It can be assumed that remains from the Lazarus group’s attack still existed in the affected client company’s Internet network ever since they were successfully infiltrated back in May.
| SYSTEM | DATE | DESCRIPTION |
| PC01 | 11/18/2022 | Lateral movement attack on the vulnerability of a certificate software (PC02 → PC01) |
| 11/18/2022 | V3 disabled | |
| PC02 | 10/21/2022 | Lateral movement attack on the vulnerability of a certificate software (Unconfirmed internal system → PC02) |
| 11/18/2022 | V3 disabled |
Analysis of PC01
It is assumed that PC01 was infiltrated through an attack on the certificate software’s 0-Day vulnerability on November 18, 2022, at 10:00:35. The team confirmed the traces of three network connection attempts from PC02 to the TCP port of PC01’s certificate software. The first two attempts did not cause any special response from PC01, but when the threat actor used skypeserver.exe (not obtained), which was created using svchost.exe in PC02, to connect to PC01 on November 18 at 10:00, an error (AppCrash) occurred in PC01’s certificate software, allowing malicious behaviors to follow. The error report (WER) and memory dump files could not be found as they were all deleted after the AppCrash. The team believes that the threat actor had intentionally deleted them.
| DATE TIME | DESCRIPTION | REMARKS |
| 11/15/2022 16:18:52 | svchost.exe network connection 10.20.XXX.125:XXXXX | Assumed to be a failed attack or connection test |
| 11/18/2022 9:49:31 | svchost.exe network connection 10.20.XXX.125:XXXXX | Assumed to be a failed attack or connection test |
| 11/18/2022 10:00:27 | skypeserver.exe network connection 10.20.XXX.125:XXXXX | Successful vulnerability exploitation |
Figure. Record of certificate software’s crashdump file creation
According to the traces found on PC01, a difference between the attack in May and the current one is the fact that svchost.exe was used instead of ftp.exe after the certificate software’s vulnerability was exploited. Another difference would be that there is no known vulnerability information since everything was updated to the most recent version this time compared to before when the vulnerable version of the software was installed.
| TARGET | INSTALL DATE | SOFTWARE VERSION | COMPROMISED DATE |
| PC01 | 07/01/2022 | Up-to-date | 11/18/2022 |
| PC02 | 08/30/2022 | Up-to-date | 10/21/2022 |
The threat actor accessed PC01, injected a malicious thread into a normal process (svchost.exe), and used PC01 as both a backdoor and for C2 communication. Afterward, the system’s installed V3 product was disabled. This was then followed by the creation and execution of an additional malicious file.
Furthermore, the team found traces of the malicious file’s time stamp being modified in addition to filenames being randomized before their deletion and other anti-forensic behaviors. Knowing this, it is evident that the threat actor is actively trying to interfere with any analysis.
TIMELINE (PC01)
The timeline of the infiltration behavior found in PC01 is as follows.
| TIME (11/18/2022) |
CATEGORY | BEHAVIORS |
| 10:00:37 | Injection | svchost.exe begins malicious behavior Malicious thread injected into running process |
| 10:00:37 | C2 communication | svchost.exe connects to threat actor’s C2 address 121.78.246.155 (dalbinews.co.kr) |
| 10:10:01 | Malicious file creation | Malicious file is created C:\ProgramData\tszui.tmp (not obtained) |
| 10:17:55 | Anti-forensic | Name change and deletion of malicious file Name change: C:\ProgramData\tszui.tmp -> phqghumea File deleted: C:\ProgramData\phqghumea (not obtained) |
| 10:18:47 | C2 communication | svchost.exe connects to threat actor’s C2 address 121.78.158.46 (www.studyholic.com) |
| 10:20:28 | Disable security products | V3 detects attempt to disable security products (Exploit/Win.Lazardoor.GEN) |
| 10:20:24 | C2 communication | Connects to threat actor’s C2 address 183.110.224.172 (ctmnews.kr) |
| 10:27:58 | Malicious file creation | Malicious file is created C:\ProgramData\perlcritic.exe (not obtained) |
| 10:28:53 | Vulnerable driver file creation | Malicious file is executed C:\ProgramData\perlcritic.exe (not obtained) driver file is created (not a malicious file) C\Windows\System32\drivers\PROCEXP152.SYS (obtained) |
| 10:29:16 | Malicious file creation | Malicious file is created C:\ProgramData\tds.tmp (not obtained) |
| 10:29:36 | Anti-forensic | Name change and deletion of malicious file Name change: C:\ProgramData\tds.tmp -> mxnsbqy File deleted: C:\ProgramData\mxnsbqy (not obtained) |
| 10:41:33 | Anti-forensic | AppCrash file deleted Deleted file: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_XXXXXXXXXXXX.exe _9474ee13fbc7651aabaf2f3c9b1fedc9e7489e51_bc343f60_ddd4e0eb-714c-4cf4-ae23-43cd18c59603 (not obtained) |
| 10:42:19 | Anti-forensic | Name change and deletion of malicious file Name change: C:\ProgramData\perlcritic.exe -> kxlmatmoynktxl Deleted file: C:\ProgramData\kxlmatmoynktxl (not obtained) |
| 10:44:31 | Malicious file creation | Backdoor loader (LegacyUserManager.dll) created (obtained) Loaded files: C:\ProgramData\Microsoft\Crypto\Keys\Keys.dat (obtained) C:\ProgramData\Microsoft\Settings\Settings.vwx (obtained) |
| 10:44:47 | Anti-forensic | Backdoor loader’s (LegacyUserManager.dll) time stamp (Standard Information) modified (obtained) |
| 10:45:47 | Malicious file creation | Backdoor program (Keys.dat) created (obtained) Malware with C2 communication and file download features created |
| 10:45:56 | Anti-forensic | Backdoor program’s (Keys.dat) time stamp (Standard Information) modified (obtained) |
| 10:46:12 | Malicious file creation | Backdoor program (Settings.vwx) created (obtained) Malware with C2 communication and file download features created |
| 10:46:30 | Anti-forensic | Backdoor program’s (Keys.dat) time stamp (Standard Information) modified (obtained) |
Analysis of PC02
The team found that the threat actor exploited the certificate software’s vulnerability to access PC02 on October 21 at 10:48:48. An AppCrash occurred following the vulnerability exploitation, and the malicious behavior started once ftp.exe was executed. This is the same method used against the affected client back in May. The team has not yet confirmed the IP of the system that accessed PC02.
Figure. Certificate software error log (Application.evtx) found on PC02
Figure. The certificate software and the malicious thread injection code of ftp.exe found in PC02’s V3 MDP log
The threat actor first infiltrated PC02 on October 21 and created a malicious file that performed C2 server communication and backdoor functions via the injected ftp.exe.
On October 27, the attacker injected a malicious thread into the svchost.exe process instead of ftp.exe, and performed malicious behaviors until November 18 using the access privilege.
The team confirmed that fswss.exe was created on November 15 and used to scan the internal network. Afterward, svchost.exe was used to connect to the certificate software’s service port in PC01 twice.
On November 18, skypeserver.exe was created and used to connect to PC01’s TCP XXXXX. It was at this point that an AppCrash occurred on PC01’s certificate software. Similar to what happened with PC01, traces were later found on PC02 of its anti-malware being disabled, followed by the creation and execution of a malicious file.
TIMELINE (PC02)
The timeline of the infiltration behavior found in PC02 is as follows.
| DATE | TIME | CATEGORY | BEHAVIORS |
| 22/10/21 | 10:48:50 | C2 communication | ftp.exe connects to threat actor’s C2 address 111.92.189.48 (www.scope.co.kr) |
| 10:48:51 | ftp.exe connects to threat actor’s C2 address 183.110.224.172 (ctmnews.kr) |
||
| 10:49:46 | ftp.exe connects to threat actor’s C2 address 115.68.52.47 (www.artinsight.co.kr) |
||
| 10:51:35 | ftp.exe connects to threat actor’s C2 address 114.108.129.89 (www.kfcjn.com) |
||
| 10:52:31 | ftp.exe connects to threat actor’s C2 address 114.108.129.89 (www.kfcjn.com) |
||
| 10:59:33 | ftp.exe connects to threat actor’s C2 address 114.108.129.89 (www.kfcjn.com) |
||
| 12:52:38 | ftp.exe connects to threat actor’s C2 address 119.207.79.175 (lightingmart.co.kr) |
||
| 14:21:58 | Malicious file creation | ftp.exe creates file C:\Windows\System32\lecacyusermanager.dll (obtained) |
|
| 14:59:07 | ftp.exe creates file C:\Windows\System32\wptsextensions.dll (obtained) |
||
| 15:34:47 | Anti-forensic | Name of malicious file changed Name change: C:\Windows\System32\legacyusermanager.dll -> C:\Windows\temp\lum.tmp (obtained) |
|
| 22/10/27 | 15:25:00 | Injection | Malicious thread injected into normal process (svchost.exe) |
| 15:26:05 | C2 communication | svchost.exe connects to threat actor’s C2 address 115.68.52.47 |
|
| 15:27:53 | Malicious file creation | svchost.exe creates malicious file C:\Windows\System32\wptsextensions.dll (obtained) |
|
| 22/11/15 | 11:32:36 | File creation | svchost.exe creates malicious file C:\ProgramData\fswss.exe (not obtained) |
| 11:32:48 | File execution | Network scan using fswss.exe C:\ProgramData\fswss.exe /scan /UseIPAddressesRange 1 /IPAddressFrom 10.20.XXX.1 /IPAddressTo 10.20.XXX.255 /stext C:\ProgramData\fswss.log |
|
| 11:33:41 | Anti-forensic | Name of malicious file changed Name change: C:\ProgramData\fswss.exe -> xeudsgpfo (not obtained) |
|
| 12:50:13 | Malicious file creation | svchost.exe creates file C:\ProgramData\fmsysn.exe (not obtained) |
|
| 12:51:04 | Malicious file execution | svchost.exe executes another process: C:\ProgramData\fmSysN.exe 10.20.XXX.1 10.20.XXX.36 XXXXX 10 c:\programdata\fmSysN.log |
|
| 13:06:49 | Anti-forensic | Name of malicious file changed Name change: C:\ProgramData\fmsysn.exe -> yfvepuvxbi (not obtained) |
|
| 16:18:52 | Network Access | svchost.exe attempts to access port of PC01’s certificate software 10.20.XXX.125:XXXXX(PC01) |
|
| 16:33:06 | Malicious file creation | svchost.exe creates file C:\ProgramData\skypeserver.exe (not obtained) |
|
| 22/11/18 | 9:49:31 | Network Access | svchost.exe attempts to access port of PC01’s certificate software 10.20.XXX.125:XXXXX(PC01) |
| 9:51:07 | Malicious file creation | svchost.exe creates malicious file C:\ProgramData\skypeserver.exe (not obtained) |
|
| 9:56:31 | svchost.exe creates malicious file C:\ProgramData\sfbappsdk.dll (not obtained) |
||
| 10:00:08 | C2 communication | skypeserver.exe connects to threat actor’s C2 address 121.78.246.155 (dalbinews.co.kr) |
|
| 10:00:27 | Network Access | skypeserver.exe successfully accesses certificate software’s port 10.20.XXX.125:XXXXX(PC01) |
|
| 10:06:14 | Anti-forensic | Name of malicious file changed Name change: C:\ProgramData\sfbappsdk.dll -> bxikemvkqhcsz (not obtained) |
|
| 10:06:42 | Name of malicious file changed Before change: C:\ProgramData\skypeserver.exe -> kqcfqbxrgbfmwem (not obtained) |
||
| 11:04:32 | Injection C2 communication |
Malicious thread injected into normal process (svchost.exe) svchost.exe connects to threat actor’s C2 address 121.78.158.46 (studyholic.co.kr) |
|
| 11:05:45 | Disable security products | V3 detects attempt to disable security products (Exploit/Win.Lazardoor.GEN) | |
| 11:06:56 | Vulnerable driver file creation | Malware is created C:\ProgramData\perlcritic.exe (not obtained) |
|
| 11:07:02 | Threat executes malware: C:\ProgramData\perlcritic.exe (not obtained) vulnerable driver file is created: C:\Windows\System32\drivers\PROCEXP152.SYS (obtained) |
||
| 11:12:18 | Malware created and executed C:\ProgramData\perlcritic64.exe (not obtained) |
Key Malicious Behaviors
Disabling V3 with BYOVD
On November 18, attempts to disable the V3 that was on PC01 and PC02 at 10:20:28 and 11:05:45 respectively were detected (Exploit/Win.Lazardoor.GEN). The V3 of both PCs were disabled for the following durations.
- PC01: November 18, 10:20:28 – 11:25:00 (around 1 hour)
- PC02: November 18, 11:05:45 AM – November 21, 2:07:08 PM (around 75 hour)
The process related to V3 was operational during this period, but a normal behavior detection could not be performed. However, V3 returned to normal after a system reboot.
Figure. PC01 detection log that confirms V3 being disabled
The threat actor needs the privilege to access the kernel memory in order to modify the Windows OS’s kernel memory and disrupt V3’s operation. To accomplish this, the threat actor performed a BYOVD attack back in May using ene.sys which belongs to the Taiwanese part supplier, ENE Technology.
A noteworthy trace to distinguish what attack method was used could not be discovered around the time the V3 of PC01 and PC02 were disabled. Rather, a vulnerable driver file was created within the system after V3 was disabled. This driver file was the free process management utility provided by Microsoft, ProcessExplorer’s PROCEXP152.SYS. This file is a vulnerable driver that can be used for BYOVD attacks. However, this driver file was created after the V3 on both PC01 and PC02 were disabled, and was used by the perlcritic.exe (not obtained) file created by the threat actor.
Therefore, the sequence of V3 being disabled and the driver file being made do not match, so it is uncertain whether it was a BYOVD attack or if PROCEXP152.SYS was used to disable V3.
The method used back in May and the method used in November are different in the following ways.
| CATEGORY | ATTACK IN MAY, 2022 | ATTACK IN NOVEMBER, 2022 |
| Attack Technique | BYOVD technique | Unconfirmed |
| Vulnerable Driver |
ENE Technology’s driver
|
Created after Microsoft’s ProcessExplorer driver disables V3 PROCEXP152.sys |
| Loader | sb_smbus_sdk.dll |
|
| Service Registration Status | Registered | No traces of registration found |
Anti-Forensic
Traces of anti-forensic behavior being performed to erase the attack traces from PC01 and PC02 have been confirmed.
| CATEGORY | SYSTEM | DESCRIPTION |
| File time stamp modification | PC01, PC02 |
[PC01]
[PC02]
|
| File deleted after name change |
PC01, PC02 |
[PC01]
[PC02]
|
| Prefetch deleted | PC01 | MSIEXEC.EXE-8FFB1633.pf, PERLCRITIC.EXE-2EB3AC0F.pf, and various others |
Malware Used by the Threat Actor
Malware List
| CATEGORY | FILENAME | SYSTEM | DESCRIPTION |
| Loader | wptsextensions.dll | PC02 |
|
| legacyusermanager.dll | PC01 PC02 |
|
|
| lum.tmp | PC02 |
|
|
| Backdoor | Keys.dat | PC01 PC02 |
|
| Settings.vwx | PC02 |
|
|
| Settings.vwx | PC01 |
|
|
| Exploited normal file |
ProcEXP152.sys | PC01 PC02 |
|
| fswss.exe | PC02 |
|
|
| Not obtained files |
configmanager.tlb | PC02 |
|
| perlcritic.exe perlcritic64.exe |
PC01 PC02 |
|
|
| sfbappsdk.dll | PC02 |
|
|
| fmSysN.exe | PC02 |
|
|
| skypeserver.exe | PC02 |
|
|
| tds.tmp | PC01 |
|
|
| tszui.tmp | PC01 |
|
C2s Used by Threat Actor
| CATEGORY | IP | DOMAIN | REMARKS |
| Initial approach of ftp.exe | 111.92.189.48 | www[.]scope.co.kr | |
| Assumed to be C2 related to disabling | 121.78.158.46 | www[.]studyholic.com | |
| 121.78.246.155 | dalbinews[.]co.kr | ||
| Backdoor C2 | 183.110.224.172 | ctmnews[.]kr | |
| 115.68.52.47 | www[.]artinsight.co.kr | ||
| 114.108.129.89 | www[.]kfcjn.com |
MITRE ATT&CK MAPPING
| Tactics | TID | DESCRIPTION |
| Reconnaissance | – | – |
| Resource Development | T1587.001 Develop Capabilities: Malware | Develops backdoor and loader |
| T1587.004 Develop Capabilities: Exploits | Prepares certificate software vulnerability | |
| T1588.002 Obtain Capabilities: Tool | fswss.exe (Nirsoft’s wakemeonlan.exe) | |
| Initial Access | N/A | |
| Execution | T1059.003 Command and Scripting Interpreter: Windows Command Shell | Executes perlcritic.exe |
| T1203 Exploitation for Client Execution | Exploits certificate software vulnerability | |
| Persistence | N/A | – |
| Privilege Escalation | T1068 Exploitation for Privilege Escalation | PROCEXP152.sys |
| Defense Evasion | T1562.001 Impair Defenses: Disable or Modify Tools | Disables V3 |
| T1070 Indicator Removal | Deletes prefetch file | |
| T1070.004 Indicator Removal: File Deletion | Deletes malicious files – sfbappsdk.dll, fswss.exe, fmSysN.exe, skypeserver.exe, perlcritic.exe, perlcritic64.exe Deletes crash dump files |
|
| T1070.006 Indicator Removal: Timestomp | Changes time stamp of malicious files | |
| Credential Access | N/A | – |
| Discovery | T1046 Network Service Discovery | fswss.exe, fmSysN.exe |
| Lateral Movement | T1210 Exploitation of Remote Services | Lateral movement using certificate software vulnerability |
| Collection | N/A | – |
| Command and Control | T1071.001 Application Layer Protocol: Web Protocols | Communicates with C2 servers |
| T1102 Web Service | Abuses normal domain as C2 server | |
| Exfiltration | N/A | – |
| Impact | N/A | – |
IoC
Malicious File
| No | MD5 Hash | File Name | AhnLab Detection Name |
| 1 | 61B3C9878B84706DB5F871B4808E739A | wptsextensions.dll | Trojan/Win.Lazardoor.C5327680 |
| 2 | C7256A0FBAB0F437C3AD4334AA5CDE06 | legacyusermanager.dll | Trojan/Win.Lazardoor.C5327680 |
| 3 | A6602EF2F6DC790EA103FF453EB21024 | lum.tmp | Trojan/Win.Lazardoor.C5327681 |
| 4 | FC8B6C05963FD5285BCE6ED51862F125 | Keys.dat (PC01) | Data/BIN.Lazarus |
| 5 | 6EA4E4AB925A09E4C7A1E80BAE5B9584 | Keys.dat (PC02) | Data/BIN.Lazarus |
| 6 | 27DB56964E7583E19643BF5C98FFFD52 | Settings.vwx (PC01) | Data/BIN.Lazarus |
| 7 | BD47942E9B6AD87EB5525040DB620756 | Settings.vwx (PC02) | Data/BIN.Lazarus |
Malicious IP/URL
| No | IP | DOMAIN | Country |
| 1 | 111.92.189.48 | www[.]scope.co.kr | KR |
| 2 | 121.78.158.46 | www[.]studyholic.com | KR |
| 3 | 121.78.246.155 | dalbinews[.]co.kr | KR |
| 4 | 183.110.224.172 | ctmnews[.]kr | KR |
| 5 | 115.68.52.47 | www[.]artinsight.co.kr | KR |
| 6 | 114.108.129.89 | www[.]kfcjn.com | KR |
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Lazarus Group Attack Case Using Vulnerability of Certificate Software Commonly Used by Public Institutions and Universities appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/48810/