A collaborative cross-industry operation has targeted an aggressive threat group known as Lazarus. The initiative, called Operation Blockbuster was led by analytics firm Novetta and aims to significantly bolster defenses against the cyberespionage group and its disruptive campaigns.
A cross-industry initiative aims to tackle a disruptive attack group called Lazarus. Attacks linked with the threat actor targeted the US and South Korea, and some involved destructive malware.
Symantec has been tracking attacks associated with Lazarus since 2009. It has been linked to a wide range of incidents, several of which involved highly destructive malware. Lazarus appears to be particularly focused on targets in the US and South Korea.
Recently announced, Operation Blockbuster involves major security vendors sharing intelligence and resources in order to assist commercial and government organizations in protecting themselves against Lazarus. As part of the initiative, vendors will circulate malware signatures and other useful intelligence related to these attackers.
Active since at least 2009, Lazarus is a well-resourced adversary, capable of mounting cyberespionage operations in addition to high-profile destructive attacks. There is some evidence to suggest that Lazarus may consist of several associated groups of attackers. If this is the case, then it is possible that these groups are acting in concert, under the direction of one entity.
Trail of destruction
Lazarus has been linked to a series of attacks since 2009. Symantec has observed commonalities between multiple targeted campaigns it may have been involved with. Lazarus is notable for its use of aggressive and destructive tactics, such as the use of disk-wiping malware, to cause maximum disruption to its targets
One of the earliest attacks linked to Lazarus occurred when distributed denial of service attacks (DDoS) attacks knocked a number of US and South Korean websites offline. A Trojan known as Dozer (detected by Symantec as Trojan.Dozer) mounted the DDoS attacks using computers it had previously compromised. Dozer was spread through emails in a campaign involving a number of worms (detected as W32.Dozer, W32.Mydoom.A@mm, and W32.Mytob!gen).
A similar wave of DDoS attacks hit South Korean websites in 2011, this time involving more destructive malware known as Trojan.Koredos. The Koredos Trojan not only used the infected computer to mount DDoS attacks; it also wiped the computer after a short period of time. Upon infection, the Trojan scanned for a number of different file types and copied them into an inaccessible encrypted .cab file before deleting the originals. A number of files that the Trojan searched for were related to software predominantly used in Korea (e.g. .alz, .gul, and .hwp). After this, the Trojan delivered the coup de grâce by deleting the master boot record (MBR) on all connected drives between 7 and 10 days after the initial infection. This resulted in Windows being unable to restart, effectively rending the computer unusable.
Lazarus was also linked to a series of destructive attacks against a number of South Korean corporations in 2013. Banks, broadcasters, and telecoms companies were among those affected. The attacks were reported to have compromised the targets’ servers with a disk-wiping Trojan (detected by Symantec as Trojan.Jokra). In addition to this, one telecoms firm had its website defaced with an animated image of skulls and a message from the alleged attackers, who called themselves the “Whois” team.
Aggressive attacks linked to Lazarus continued in 2014 and the group was linked to Backdoor.Destover, a highly destructive Trojan that was the subject of an FBI warning after it was used in an attack against Sony Pictures Entertainment. The FBI concluded that the North Korean government was responsible for this attack.
Although used against US targets, Destover shared several links to earlier attacks directed at targets in South Korea. Some samples of Destover reported to a command and control (C&C) server that was also used by a version of Trojan.Volgmer, which was crafted to attack South Korean targets. The shared C&C server indicated that the same group may have been behind both attacks. An updated version of this malware (detected as Trojan.Volgmer.B) has been used in more recent attacks against large South Korean companies.
Some of the most recent activity linked to Lazarus involved a Trojan detected as Backdoor.Duuzer. Although detected in a range of locations, one of the threat’s targets was the South Korean manufacturing industry. Duuzer’s main function appears to be cyberespionage. The Trojan provides attackers with remote access to the compromised computer, and allows them to download additional files and steal data.
There was also some evidence to suggest that the attackers behind Duuzer were spreading two other threats, detected as W32.Brambul and Backdoor.Joanap, to target more organizations in South Korea. Both pieces of malware appear to be designed to download extra payloads and carry out reconnaissance on infected computers.
Ongoing vigilance required
Attacks associated with Lazarus have frequently been highly destructive. Aside from the level of aggression displayed, Lazarus is notable for the range of tools used and the fact that it is linked to destructive attacks and lower-profile, espionage operations.
By pooling together our respective insights into Lazarus, Symantec and other members of the Operation Blockbuster team hopes to strike a blow to this group while ensuring that our customers have robust protection against its tools.
Symantec and Norton products protect against threats associated with Lazarus with the following detections:
Intrusion prevention system
• System Infected: Backdoor.Joanap Activity
• System Infected: Backdoor.Duuzer Activity
• System Infected: Trojan.Volgmer Activity
• System Infected: Backdoor.Destover Activity
• System Infected: Backdoor.Destover Activity 2
• System Infected: Backdoor.Destover Activity 3