
VMConnect Campaign: Lazarus Group's Deceptive PyPI Packages in Virtual Machine Attacks
Indicators of Compromise
APT Groups1
<p><b>Summary of Actor</b>:Lazarus Group, also known as APT38, is a notorious state-sponsored hacking group attributed to North Korea. The group is known for its sophisticated cyber espionage and financially motivated attacks.</p><p><b>General Features</b>:Lazarus Group is highly sophisticated and employs advanced techniques to conduct cyber espionage and financial theft. The group is backed by a nation-state and often uses malware, spear-phishing, and vulnerabilities to infiltrate targets.</p><p><b>Related Other Groups</b>: APT37,Kimsuky,Reaper,BlueNoroff</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Use of trojans and ransomware</li><li>Spear-phishing emails</li><li>Deployment of custom malware</li><li>Command and Control (C2) server communications</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: Lazarus Group was recently linked to a series of ransomware attacks against major manufacturers in the United States and Europe, aiming to disrupt supply chains and extract ransom payments.</li><li><b>Emerging Trends </b>: The group has been observed shifting towards more financially motivated attacks, including targeting cryptocurrency exchanges and venture capital firms.</li></ul></p>
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1082-System Information Discovery
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. | |||
Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations. | |||
Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. |
T1083 - File and Directory Discovery
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. | |||
Monitor for API calls that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. | |||
Monitor newly executed processes that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. |
T1105 - Ingress Tool Transfer
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for suspicious activity associated with downloading external content. | |||
Monitor for file creation and files transferred into the network | |||
Monitor for newly constructed network connections that are sent or received by untrusted hosts or creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious. | |||
Monitor network traffic content for files and other potentially malicious content, especially data coming in from abnormal/unknown domain and IPs. | |||
Monitor network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
T1140 - Deobfuscate/Decode Files or Information
ID | Data Source | Data Component | Detects |
Monitor for changes made to files for unexpected modifications that attempt to hide artifacts. On Windows, Event ID 4663 (Security Log - An attempt was made to access an object) can be used to alert on suspicious file accesses (e.g., attempting to write to a file which shouldn’t be further modified) that may coincide with attempts to hide artifacts. | |||
Monitor for newly executed processes that attempt to hide artifacts of an intrusion, such as common archive file applications and extensions (ex: Zip and RAR archive tools), and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. CertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding an encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The analytic is oriented around the creation of CertUtil.exe processes, which may be used to encode and decode files, including PE and script code. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Analytic 1 - CertUtil with Decode Argument (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\certutil.exe" AND CommandLine= decode ) | |||
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
T1486 - Data Encrypted for Impact
ID | Data Source | Data Component | Detects |
Monitor for changes made in cloud environments for events that indicate storage objects have been anomalously modified. | |||
Monitor executed commands and arguments for actions involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit | |||
Monitor for newly constructed files in user directories. | |||
Monitor for changes made to files in user directories. | |||
Monitor for unexpected network shares being accessed on target systems or on large numbers of systems. | |||
Monitor for newly constructed processes and/or command-lines involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. |
T1027 - Obfuscated Files or Information
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^). Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding. | |||
Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). | |||
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc. File-based signatures may be capable of detecting code obfuscation depending on the methods used.[177][178][179] | |||
Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated code functionality. Dynamic malware analysis may also expose signs of code obfuscation.[178] | |||
Monitor and analyze calls to functions such as GetProcAddress() that are associated with malicious code obfuscation.[177] | |||
Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. | |||
Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^). Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters. | |||
Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads. | |||
Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads. |
T1566 - Phishing
ID | Data Source | Data Component | Detects |
Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[14][15] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events. | |||
Monitor for newly constructed files from a phishing messages to gain access to victim systems. | |||
Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[14][15] | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |