A report from ProofPoint by Darien Huss
With activity dating at least to 2009, the Lazarus Group has consistently ranked among the most disruptive, successful, and far-reaching state-sponsored actors.
Law enforcement agencies suspect that the group has amassed nearly $100 million worth of cryptocurrencies based on their value today.
- The March 20, 2013 attack in South Korea,
- the Sony Pictures hack in 2014,
- the successful SWIFT theft of $81 million from the Bangladesh Bank in 2014,
- and perhaps most famously this year’s WannaCry ransomware attack and its global impact have all been attributed to the group.
The Lazarus Group is widely accepted as being a North Korean state-sponsored threat actor by numerous organizations in the information security industry, law enforcement agencies, and intelligence agencies around the world. The Lazarus Group’s arsenal of tools, implants, and exploits is extensive and under constant development. Previously, they have employed DDoS botnets, wiper malware to temporarily incapacitate a company, and a sophisticated set of malware targeting the SWIFT banking system to steal millions of dollars. In this report we describe and analyze a new, currently undocumented subset of the Lazarus Group’s toolset that has been widely targeting individuals, companies, and organizations with interests in cryptocurrency.
Threat vectors for this new toolset, dubbed PowerRatankba, include highly targeted spearphishing campaigns using links and attachments as well as massive email phishing campaigns targeting both personal and corporate accounts of individuals with interests in cryptocurrency. We also share our discovery of what may be the first publicly documented instance of a state targeting a point-of-sale related framework for the theft of credit card data, again using a variant of malware that is closely related to PowerRatankba.
This report has introduced several new additions to Lazarus Group’s ever-growing arsenal, including a variety of different attack vectors, a new PowerShell implant and Gh0st RAT variant, as well as an emerging point-of-sale threat targeting South Korean devices. In addition to insight into Lazarus’ emerging toolset, there are two key takeaways from this research:
- Analyzing a financially motivated arm of a state actor highlights an often overlooked or underestimated aspect of state-sponsored attacks; in this case, we were able to differentiate the actions of the financially motivated team within Lazarus from those of their espionage and disruption teams that have recently grabbed headlines.
- This group now appears to be targeting individuals rather than just organizations: individuals are softer targets, often lacking resources and knowledge to defend themselves and providing new avenues of monetization for a state-sponsored threat actor’s toolkit.
- Moreover, both the explosive growth in cryptocurrency values and the emergence of new point-of-sale malware near the peak holiday shopping season provide an interesting example of how one state-sponsored actor is following the money, adding direct theft from individuals and organizations to the more “traditional” approach of targeting financial institutions for espionage that we often observe with other APT actors.