In the ever-evolving world of cybersecurity, understanding and anticipating threats has become a critical necessity. One such threat is the notorious Lazarus Group, known for their sophisticated cyber attack tactics. This blog delves into the specific TTPs (Tactics, Techniques, and Procedures) attributed to the Lazarus Group and potential ways to hunt for these activities in network logs.
The Lazarus Group has been known to leverage various techniques for gaining initial access to systems, such as Phishing via DOCX files and using LNK files within RAR archives. Threat hunters can look for specific anomalies such as subprocesses of
winword.exe spawning LOLBAS. Additionally, any browser with a command line parameter containing “.pdf”, or
cmd.exe with “mkdir” or “copy” in the process command line, may indicate malicious activity【6†source】【7†source】.
Once access is gained, the group often uses scheduled tasks to execute remote payloads via
wmic.exe. Hunting for this activity could involve looking for
svchost.exe with “Schedule” in the command line spawning any child process with “http” or “https” in the child command line, or
taskeng.exe spawning any child process with “http” or “https” in the child command line【8†source】.
Evasion is a key part of the Lazarus Group’s playbook. They’ve been known to use PowerShdll for executing PowerShell via DLL,
certutil.exe to decode payloads, and
regsvr32.exe to execute malware. They’ve also been seen using DOCX files with remote templates and VS Code to launch malicious
powershell.exe scripts. This provides a range of hunting opportunities for cybersecurity professionals【9†source】【10†source】【11†source】【12†source】【13†source】.
The Lazarus Group uses
wmic.exe for lateral movement, executing code on other machines. Any process command line containing “/node:” and “PROCESS CALL CREATE” can potentially indicate this activity【14†source】.
To maintain persistence, the group puts a LNK file in startup that calls a binary in %TEMP%, disguised as Google Update. There are several potential hunting points here, including all processes with a parent of
explorer.exe and grandparent of
explorer.exe spawning a binary located in any folder path containing “Temp” or “Tmp”, or
powershell.exe which spawns another binary located in any folder path containing “Temp” or “Tmp”【15†source】.
While these techniques provide a way to detect the Lazarus Group’s activities, it’s important to note that these are not exhaustive, and a clean sweep of these hunts does not guarantee a secure network. Cybersecurity requires continuous vigilance and adaptation to evolving threats. The Lazarus Group is just one among many, and the techniques they employ today may change tomorrow.