Research Saturday 6.25.22
Ep 238 | 6.25.22

Lazarus Targets Chemical Sector With 'Dream Job.'


Dave Bittner: Hello everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Alan Neville: Essentially, Symantec receives billions of rows in telemetry every day. And one of the things that's - my team do is actually dig through this telemetry in order to hunt down new threats. And it was through one of these analytics that we were able to identify some suspicious credential dumping activity, which led us on to uncovering Pompilus and their attacks against organizations operating in the chemical sector. 

Dave Bittner: That's Alan Neville. He's a principal threat intelligence analyst at Symantec. The research we're discussing today is titled "Lazarus Targets Chemical Sector." 

Dave Bittner: Well, before we dig into the details here, I mean, this centers around the Lazarus Group, which is out of North Korea. Can you give us a little bit of the background on them? 

Alan Neville: Yeah. So Lazarus itself is kind of more of a - what do you say - an all-encompassing name that mainly consists of a lot of different subgroups. Across Symantec themselves, we already actually track probably at least up to 15 different groups that are all kind of under that umbrella named Lazarus. And Lazarus was originally the name that was known as Hidden Cobra, which was used by the U.S. government. Essentially, there's many of these different subgroups. 

Alan Neville: We've split the mouse based on some of the separate activity that we actually track across Symantec. So we would have groups that we'd associate with North Korea like Louis (ph) or Bollworm (ph), for et cetera. Which, for example, let's say Bluist (ph), they would target individuals in South Korea using threats like Eagle Boss (ph), mainly executives doing their business or working in South Korea. Bollworm, for example, is another group that we track where they had previously hijacked software updates in order to install their malware. We had Clover Worm (ph), which we've also published on in the past. This was essentially an espionage effort by North Korea where they were involved in financially motivated attacks against crypto mining or crypto organizations. And some considered these groups known as like Spring Tail (ph), one in the same. But when we start to get into that activity for Clover Worm, we kind of split that out into two different groups. So it's somewhat confusing in terms of where lots of different vendors track all the subset of activity under different names. And Lazarus has essentially become one of these umbrella terms which kind of encapsulates all of North Korean activity. 

Dave Bittner: And as you mentioned, your team is tracking this particular group as the name Pompilus. Is that right? 

Alan Neville: Pompilus, yeah. 

Dave Bittner: All right. 

Alan Neville: That's the group that we've dubbed for this particular set of activity. 

Dave Bittner: And so this starts out with a continuation of Lazarus' technique that - just referred to as Operation Dream Job. 

Alan Neville: Yeah. So Dream Job is quite interesting. There's actually been quite a bit of reporting about this over the last several years. It was first published by our colleagues in ESET in a blog around June 2020, where they specifically detailed a campaign which attacked defense and aerospace companies in Europe and the Middle East between, like, September and I think it was December 2019. And in that campaign, which they named Interception made use of social engineering and relied on, like, a modular malware to collect and perform recognizance on target networks. 

Alan Neville: And at that time, according to ESET, the attackers made initial contact with their targets through LinkedIn. The attackers themselves had been creating profiles impersonating HR recruiters from international companies in the defense sector and aerospace sectors. And they used these copycat profiles to send job offers to their targets. And for any of those who may have shown interest in those jobs, they would then eventually send them, like, a password-protected archive, which was either sent directly to them via email or may have a link to, like, one of those cloud providers like OneDrive to install their malware. 

Alan Neville: And then later, I suppose in 2020, McAfee also documented a similar campaign. They released a blog where they detailed the malicious documents that were being sent to the individuals related to legitimate job offers at leading defense contractors. All of the organizations that were detailed in that blog had active defense contracts of varying sizes and scope, all with the U.S. government. 

Alan Neville: And then there was also additional reporting by ClearSky. They had released a report where they detailed some sort of tactics of the attackers. For example, they began to impersonate legitimate individuals and companies, not just setting up fake profiles but actually copying LinkedIn profiles from existing employees and using their images as well. They began to build up a reputation by adding other individuals within those companies to LinkedIn before they began reaching out to their targets, essentially kind of using the same means as before, like, sending job offers. And those cases, they began leveraging other messaging platforms as well. So it wasn't just LinkedIn, but they began to branch out on to other platforms like WhatsApp or directly through SMS texts and even on Twitter. And then we'd also seen a blog that was published in January 2021 by Google, and they had observed similar campaigns. But in these cases, it looked like the attackers had shifted their focus away from defense and aerospace and starts focusing on security researchers. 

Alan Neville: In these campaigns, the attackers began to impersonate professional security researchers, setting up LinkedIn profiles and Twitter accounts - a lot of what we've seen previously. They even went as far as starting to create blogs, publishing articles on exploits, vulnerability research in attempt to build up that reputation. One stage, they even created fake YouTube videos, supposedly demonstrating a zero-day exploit against Windows Defender, and this was later proven to be fake. They had used these types of tactics as a means to build up a reputation. And then using that reputation would begin to reach out to other security researchers and begin to ask somebody like to collaborate on some vulnerability research to the point where they would send them a Visual Studios project, which would essentially install some malware on to the security researchers' machines. 

Dave Bittner: Well, let's dig in to this particular campaign. And what were you tracking here? 

Alan Neville: During this time, we had obviously been keeping track of all this activity, which we then began tracking as a separate group 'cause it looked like very kind of unique characteristics in terms of some of the tactics and tools that the group were using. And around late, I suppose, 2021, we began observing a shift in some of the targeting by the actors whereby they began to focus on health care and pharmaceutical sectors, initially, retaining access in some of those organizations for up to several months, similar to what we'd previously reported. 

Alan Neville: We've observed the attackers leveraging various social media platforms, sending malicious documents with laws related to pharma and jobs, job offers and identified potentially new and documented vector as well whereby attackers were installing their tools via legitimate system management software tools to spread across the networks. We'd also observed the attackers targeting financial organizations that were heavy into cryptocurrency as well. As we continue to monitor the group into 2021 and then later into 2022, we noticed a second shift in their targeting where - whereby they began to set their sights on organizations operating in the information technology sector, which include web hosting companies, some small-time registrars, and we'd also seen some IT support contractors as well. 

Alan Neville: And then at a later stage, we started seeing a shift towards conglomerates. We believe that they had targeted these organizations in the IT sectors initially to build out some of their infrastructure. The majority of the command-and-control servers that they use are compromised websites, so it kind of makes sense for them to go after those organizations. However, there was another theory as well that they were likely targeting these organizations as a means to get access to other organizations of interest, essentially, I suppose, performing a supply chain attack. And we noticed some of the other victims around that time were partnered with some of those IT contractors. 

Alan Neville: In terms of the chemical targeting, as we began to, I suppose, dig into those conglomerates, we had noticed that majority of those victims actually operated within the chemical sector. Specifically, the machines that Lazarus were targeting at the time, all were related to machines that were being used to conduct research in the chemical sector, specifically around some projects that were being worked on in collaboration with different organizations. 

Dave Bittner: The research that you all have posted here includes a case study, what you tracked from an organization in the chemical sector. Can we go through that together, get some insights as to how Lazarus went about this? 

Alan Neville: Yeah. So in the recent victim that we described in the blog, we'd seen the victim themselves were operating in the chemical sector. They were part of a conglomerate. We believe that they had been initially sent some malicious emails that contained links to remote sites. And the user that they had targeted essentially had opened the email, clicked the link, which in turn was able to download and install a malicious DLL file onto their machine, which essentially gave the actors a backdoor access. 

Alan Neville: So once that backdoor was installed and executed, it was used to download a second-stage payload, which the attackers were able to leverage, and that gave them the ability to be able to execute arbitrary commands that were all being executed in memory. And they were able to use - again, use that access to install additional tools, potentially steal information from the infected machine itself. And in multiple cases where we observed them installing these tools, we had seen them leveraging trojanized versions of legitimate projects like compression libraries. 

Alan Neville: In some instances, we had seen them using system management software to install some of the backdoors on other machines once they gained that initial access. And again, that's probably all likely just to try to remain under the radar for as long as possible within those organizations. I suppose, after the attackers had gained that access, one of the first things we'd seen them do is obviously start to collect credentials to assist in that lateral movement. The attackers then began creating multiple scheduled tasks to ensure persistence as a means to run commands. They were leveraging batch files to do this in those cases, and we also observed them installing older versions of, like, I think we had seen Bitdefender, which had software that was vulnerable to remote code execution vulnerabilities, which, again, was likely to allow them to execute arbitrary commands on harder-to-reach systems. Beyond those backdoor tools and the remote access tools that we'd seen them install within that victim, it looked like they also were able to deploy tools to be able to take screenshots to monitor machines of interest, and this tool would take screenshots of browsed web pages every 10 seconds and send those images back to the attackers. 

Dave Bittner: Now, by what means where they ultimately detected? 

Alan Neville: The cases where these were initially detected, it was all through the analytics that our team actually developed. So like that, we collect billions of runs of telemetry that are submitted to Symantec every day as part of that threat hunting effort that we actually do. We - one of those approaches that we use would be to design a lot of these analytics to identify the suspicious attack behavior. It's usually through those that we're able to identify it. And in this case, this is what we were actually able to find. We were able to identify some suspicious credential-dumping activity that was identified through those analytics. 

Dave Bittner: And so what are your recommendations in terms of protection and mitigation? How can folks best prevent this? 

Alan Neville: For recommendations for protection, I'd obviously - first thing I would actually recommend would be adopting a defense-in-depth strategy. So that would be using, like, multiple detections and protection technologies, essentially, to try and mitigate risks at all points of the potential attack chain. I'd also recommend leveraging two-factor authentication where possible, and, generally, this would be a good thing to do to help limit the usefulness of any compromised credentials. Standard things, like restricting remote desktop protocol access or any other tools that can enable remote desktop access, monitor any system management software that may be leveraged within your organization to ensure you have visibility of what's being delivered to your endpoints, and then also things like enabling logging of PowerShell and dual-use tool usage as well. I'd also recommend working with your own security teams and security vendors. Review the protection information that's available, shared through our blog or shared through our other colleagues as well, to ensure all the steps have been taken to detect and block this type of activity across your organization. 

Dave Bittner: Now, is your sense that the primary goal here was espionage as opposed to - because we're dealing with a chemical sector as opposed to, you know, getting into industrial control systems - those kinds of things? 

Alan Neville: Yeah. As we began to dig into some of those recent victims, we quickly realized the attackers were clearly interested in chemical research. The organizations where we actually observed the attackers gaining access to, we were able to quickly identify that those victims had work relationships with each other, and we could see them specifically seeking out research materials in these cases related to epoxy research that the organizations were collaborating on. And what was pretty interesting about epoxy research - it's not just glue at the end of the day. It actually has many other practical uses, among some of them being solid-state fuels. As we know, North Korea have ramped up their missile testing since the beginning of 2022, and we believe it's likely due to the, like, sanctions that have been imposed on their country. The fact that they've been excluded from that wider scientific community, they're beginning to resort to stealing that type of research and intellectual property to further their own either nuclear programs or interests. What's also interesting about this is we've also seen other North Korean groups as well targeting the chemical sector for similar research recently. This is a group that we've known, or that we track and we've also published on in the past, known as Stonefly. And at that time, they had been targeting, again, conglomerates, again, involved in research around super alloys specifically used for heat shielding, and it appears to be some sort of, like, directive of theirs to collect this type of information. 

Dave Bittner: Our thanks to Alan Neville from Symantec for joining us. The research is titled "Lazarus Targets Chemical Sector." We'll have a link in the show notes. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.