Campaigns
VMConnect Campaign: Lazarus Group's Deceptive PyPI Packages in Virtual Machine Attacks

VMConnect Campaign: Lazarus Group's Deceptive PyPI Packages in Virtual Machine Attacks

Lazarus GroupVMConnectLinkedIn PhishingFake Job InterviewsLabyrinth Chollima
The Lazarus Group has escalated its VMConnect campaign by targeting developers with malware packages, researchers report. The attackers posed as Capital One employees, conducted fake job interviews, and sent LinkedIn messages with links to GitHub repositories. These links led developers to download malware offered as part of a “homework assignment.” Once installed, the malware acted as a downloader that could deliver additional payloads such as backdoors and stealers aimed at infiltrating and compromising developer environments.

Indicators of Compromise

www.reversinglabs.com

APT Groups1

Lazarus Groupundefined

<p><b>Summary of Actor</b>:Lazarus Group, also known as APT38, is a notorious state-sponsored hacking group attributed to North Korea. The group is known for its sophisticated cyber espionage and financially motivated attacks.</p><p><b>General Features</b>:Lazarus Group is highly sophisticated and employs advanced techniques to conduct cyber espionage and financial theft. The group is backed by a nation-state and often uses malware, spear-phishing, and vulnerabilities to infiltrate targets.</p><p><b>Related Other Groups</b>: APT37,Kimsuky,Reaper,BlueNoroff</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Use of trojans and ransomware</li><li>Spear-phishing emails</li><li>Deployment of custom malware</li><li>Command and Control (C2) server communications</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: Lazarus Group was recently linked to a series of ransomware attacks against major manufacturers in the United States and Europe, aiming to disrupt supply chains and extract ransom payments.</li><li><b>Emerging Trends </b>: The group has been observed shifting towards more financially motivated attacks, including targeting cryptocurrency exchanges and venture capital firms.</li></ul></p>

UNC4736ZincUNC2970Gleaming PiscesJade SleetUNC4899ITG03NewRomanic Cyber Army TeamDiamond SleetHastati GroupWhois Hacking TeamApplewormSlow PiscesHidden CobraLazarus GroupDEV-0139ATK 3Guardians of PeaceTraderTraitorGods ApostlesCitrine SleetUNC4034Group 77Labyrinth ChollimaTA404SectorA01UNC577APT-C-26Gods Disciples

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1082-System Information Discovery

ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.



Process Creation

Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.



T1083 - File and Directory Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0009

Process

OS API Execution

Monitor for API calls that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.



Process Creation

Monitor newly executed processes that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.



T1105 - Ingress Tool Transfer


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for suspicious activity associated with downloading external content.

DS0022

File

File Creation

Monitor for file creation and files transferred into the network

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts or creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.



Network Traffic Content

Monitor network traffic content for files and other potentially malicious content, especially data coming in from abnormal/unknown domain and IPs.



Network Traffic Flow

Monitor network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.



T1140 - Deobfuscate/Decode Files or Information


ID

Data Source

Data Component

Detects

DS0022

File

File Modification

Monitor for changes made to files for unexpected modifications that attempt to hide artifacts. On Windows, Event ID 4663 (Security Log - An attempt was made to access an object) can be used to alert on suspicious file accesses (e.g., attempting to write to a file which shouldn’t be further modified) that may coincide with attempts to hide artifacts.

DS0009

Process

Process Creation

Monitor for newly executed processes that attempt to hide artifacts of an intrusion, such as common archive file applications and extensions (ex: Zip and RAR archive tools), and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

CertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding an encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.

Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The analytic is oriented around the creation of CertUtil.exe processes, which may be used to encode and decode files, including PE and script code. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process.

Analytic 1 - CertUtil with Decode Argument

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\certutil.exe" AND CommandLine= decode )

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.



T1486 - Data Encrypted for Impact


ID

Data Source

Data Component

Detects

DS0010

Cloud Storage

Cloud Storage Modification

Monitor for changes made in cloud environments for events that indicate storage objects have been anomalously modified.

DS0017

Command

Command Execution

Monitor executed commands and arguments for actions involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit

DS0022

File

File Creation

Monitor for newly constructed files in user directories.



File Modification

Monitor for changes made to files in user directories.

DS0033

Network Share

Network Share Access

Monitor for unexpected network shares being accessed on target systems or on large numbers of systems.

DS0009

Process

Process Creation

Monitor for newly constructed processes and/or command-lines involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit.



T1027 - Obfuscated Files or Information


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^).

Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.

DS0022

File

File Creation

Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).



File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

File-based signatures may be capable of detecting code obfuscation depending on the methods used.[177][178][179]

DS0011

Module

Module Load

Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated code functionality. Dynamic malware analysis may also expose signs of code obfuscation.[178]

DS0009

Process

OS API Execution

Monitor and analyze calls to functions such as GetProcAddress() that are associated with malicious code obfuscation.[177]



Process Creation

Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

DS0012

Script

Script Execution

Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^).

Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters.

DS0024

Windows Registry

Windows Registry Key Creation

Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads.

DS0005

WMI

WMI Creation

Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads.



T1566 - Phishing



ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[14][15] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.

DS0022

File

File Creation

Monitor for newly constructed files from a phishing messages to gain access to victim systems.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[14][15]



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Reports & References1

Observed Countries7

CA (217)
DE (93)
GB (620)
IN (429)
JP (650)
KR (179)
US (699)