Campaigns
CookieMiner: Lazarus Group's New Weapon in Nuclear Cyber Warfare

CookieMiner: Lazarus Group's New Weapon in Nuclear Cyber Warfare

CookieMinerNuclearSecurityLazarus Group
This campaign focuses on the Lazarus Group, a notorious state-sponsored hacking collective with a history of targeting critical infrastructure. Their latest weapon, the "CookieMiner" malware, is specifically designed to infiltrate and compromise systems within the nuclear industry.

Indicators of Compromise

No domains found for this campaign

APT Groups1

Lazarus Groupundefined

<p><b>Summary of Actor</b>: Lazarus Group, also known as APT38, is a highly sophisticated, state-sponsored threat actor attributed to North Korea. The group is known for its cyber espionage, financially motivated attacks, and disruptive cyber operations targeting various industries worldwide. Active since at least 2009, Lazarus has been responsible for major financial heists, intellectual property theft, and destructive malware campaigns.</p><p><b>General Features</b>:<ul><li><b>Nation-State Backing:</b> Strongly linked to the North Korean government, likely operating under the Reconnaissance General Bureau (RGB).</li> <li><b>Advanced Tactics:</b> Utilizes custom malware, zero-day exploits, supply chain attacks, and sophisticated social engineering techniques.</li> <li><b>Diverse Targeting:</b> Initially focused on government and military espionage, but now predominantly targeting financial institutions, cryptocurrency exchanges, blockchain-related firms, and high-value enterprises.</li> <li><b>Evasion Capabilities:</b> Employs multi-stage attacks, obfuscation techniques, and legitimate tools to evade detection and persistence.</li></ul> <p><b>Related Other Groups:</b></p> Reaper,imsuky (APT37),Andariel,BlueNoroff (APT38)</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Spear-Phishing & Social Engineering</li><li>Custom Malware & Exploits</li><li>Compromise of Supply Chains & Software Updates</li><li>Command-and-Control (C2) Infrastructure</li><li>Cryptocurrency Theft & Laundering</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>:<ul><li>ByBit Cryptocurrency Exchange Attack</li><li>Ransomware & Supply Chain Attacks</li><li>Advanced Blockchain Attacks</li></ul></li><li><b>Emerging Trends </b>:<ul><li>Increased Focus on Financial Cybercrime</li><li>Use of AI for Social Engineering & Phishing</li><li>Use of AI for Social Engineering & Phishing Targeting of Cybersecurity & Threat Intelligence Firms</li></ul></li></ul></p>

Hastati GroupZincLazarus GroupSectorA01ITG03Citrine SleetTraderTraitorUNC577Labyrinth ChollimaHidden CobraGroup 77UNC4034Gods DisciplesUNC4899Jade SleetGuardians of PeaceUNC2970NewRomanic Cyber Army TeamGods ApostlesDEV-0139Diamond SleetAPT-C-26Whois Hacking TeamATK 3Slow PiscesTA404ApplewormGleaming PiscesUNC4736

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1566-Phishing


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.

DS0022

File

File Creation

Monitor for newly constructed files from a phishing messages to gain access to victim systems.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18]



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


T1140 - Deobfuscate/Decode Files or Information


ID

Data Source

Data Component

Detects

DS0022

File

File Modification

Monitor for changes made to files for unexpected modifications that attempt to hide artifacts. On Windows, Event ID 4663 (Security Log - An attempt was made to access an object) can be used to alert on suspicious file accesses (e.g., attempting to write to a file which shouldn’t be further modified) that may coincide with attempts to hide artifacts.

DS0009

Process

Process Creation

Monitor for newly executed processes that attempt to hide artifacts of an intrusion, such as common archive file applications and extensions (ex: Zip and RAR archive tools), and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

CertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding an encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.

Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The analytic is oriented around the creation of CertUtil.exe processes, which may be used to encode and decode files, including PE and script code. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process.

Analytic 1 - CertUtil with Decode Argument

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\certutil.exe" AND CommandLine= decode )

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.


T1036 - Masquerading


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. [55]

Note: For Windows, Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential Masquerading.

DS0022

File

File Metadata

Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE".

Check and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation.[56] In Linux, the file command may be used to check the file signature.[57]



File Modification

Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted file accesses that may be associate with Masquerading.

DS0007

Image

Image Metadata

Collecting disk and resource filenames for binaries, comparing that the InternalName, OriginalFilename, and/or ProductName match what is expected, could provide useful leads but may not always be indicative of malicious activity. [58]

DS0009

Process

OS API Execution

Monitor for API calls such as fork() which can be abused to masquerade or manipulate process metadata.



Process Creation

Monitor for newly executed processes that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. The RECYCLER and SystemVolumeInformation directories will be present on every drive. Replace %systemroot% and %windir% with the actual paths as configured by the endpoints.

Analytic 1 - Suspicious Run Locations

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND ( Image=":\RECYCLER*" OR Image=":\SystemVolumeInformation*" OR Image="%windir%\Tasks*" OR Image="%systemroot%\debug*")



Process Metadata

Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled.

DS0003

Scheduled Job

Scheduled Job Metadata

Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

On Windows, Event ID 4698 (Security Log - A scheduled task was created) can be used to alert on the creation of scheduled tasks and provides metadata including the task name and task content (as XML).

On Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on invocations of cron, and provides the metadata included when executing the command.



Scheduled Job Modification

Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

DS0019

Service

Service Creation

Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.



Service Metadata

Monitor for contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.

DS0002

User Account

User Account Creation

Monitor for newly constructed accounts with names that are unusually generic or identical to recently-deleted accounts.


T1569 - System Services


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor command-line invocations for tools capable of creating or modifying system services (e.g., systemctl on Linux, sc.exe on Windows, launchctl on macOS).

Analytic 1 - Unusual service modification tools.

sourcetype=command_logs| search command IN ("systemctl", "sc", "launchctl")

DS0022

File

File Modification

Track changes to critical service-related files (e.g., /etc/systemd/system/, /etc/init.d/, and service binaries on Linux, C:\Windows\System32\services.exe`` on Windows, or/Library/LaunchDaemons``` on macOS).

Analytic 1 - Unusual file modifications related to system services.

sourcetype=file_monitor| search file_path IN ("/etc/systemd/system/", "/etc/init.d/", "/Library/LaunchDaemons/*", "C:\Windows\System32\services.exe")

DS0009

Process

Process Creation

Monitor newly executed processes that may abuse system services or daemons to execute commands or programs.

Analytic 1 - New processes abusing system services.

sourcetype=process_logs| search process IN ("services.exe", "systemd", "launchd")

DS0019

Service

Service Creation

Track the creation of new services, which could indicate adversarial activity aimed at persistence or execution.

Analytic 1 - Monitors service creation and modification activities

sourcetype=service_logs| search service_action="create" OR service_action="modify"| where user NOT IN ("known_admins") AND service_name NOT IN ("known_services")

DS0024

Windows Registry

Windows Registry Key Modification

Monitor for changes made to windows registry keys and/or values that may abuse system services or daemons to execute commands or programs.

Analytic 1 - Malicious service modification

sourcetype= Sysmon EventCode=12| search registry_path="HKLM\SYSTEM\CurrentControlSet\Services\*" | where registry_action="modified" AND user NOT IN ("known_admins")


T1219 - Remote Access Software


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

DS0009

Process

Process Creation

Monitor for applications and processes related to remote admin software. Correlate activity with other suspicious behavior that may reduce false positives if this type of software is used by legitimate users and administrators. Domain Fronting may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote software to compromised systems. It may be possible to detect or prevent the installation of this type of software with host-based solutions.


T1574 - Hijack Execution Flow


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may execute their own malicious payloads by hijacking the way operating systems run programs.

DS0022

File

File Creation

Monitor for newly constructed files that may execute their own malicious payloads by hijacking the way operating systems run programs.



File Modification

Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.

DS0011

Module

Module Load

Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths.

DS0009

Process

Process Creation

Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.

DS0019

Service

Service Metadata

Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.

DS0024

Windows Registry

Windows Registry Key Modification

Monitor for changes made to windows registry keys and/or values that may execute their own malicious payloads by hijacking the way operating systems run programs.

Observed Countries4

AU (962)
JP (847)
UA (719)
US (154)