![]() Lazarus Group has used PowerShell to execute commands and malicious code. Ĭommand and Scripting Interpreter: PowerShell Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords. Lazarus Group malware has maintained persistence on a system by creating a LNK shortcut in the user’s Startup folder. īoot or Logon Autostart Execution: Shortcut Modification ĭuring Operation Dream Job, Lazarus Group placed LNK files into the victims' startup folder for persistence. Lazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key. ![]() īoot or Logon Autostart Execution: Registry Run Keys / Startup Folder Ī Lazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration. Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server. ĭuring Operation Dream Job, Lazarus Group archived victim's data into a RAR file. Lazarus Group has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in. The KilaAlfa keylogger also reports the title of the window in the foreground. Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. ĭuring Operation Dream Job, Lazarus Group uses HTTP and HTTPS to contact actor-controlled C2 servers. Lazarus Group has conducted C2 over HTTP and HTTPS. Īpplication Layer Protocol: Web Protocols Lazarus Group executed Responder using the command -i -rPv on a compromised host to harvest credentials and move laterally. ![]() Īdversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay ĭuring Operation Dream Job, Lazarus Group used file hosting services like DropBox and OneDrive. Lazarus Group has hosted malicious downloads on Github. ĭuring Operation Dream Job, Lazarus Group acquired servers to host their malicious tools. ĭuring Operation Dream Job, Lazarus Group registered a domain name identical to that of a compromised company as part of their BEC effort. Lazarus Group has acquired domains related to their campaigns to act as distribution points and C2 channels. Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account. ĭuring Operation Dream Job, Lazarus Group queried compromised victim's active directory servers to obtain the list of employees including administrator accounts. Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserA under that user's context. Virtualization/Sandbox Evasion: Time Based Evasion,Īccess Token Manipulation: Create Process with Token Virtualization/Sandbox Evasion: System Checks, System Location Discovery: System Language Discovery, Server Software Component: IIS Components, Search Open Websites/Domains: Social Media, Obtain Capabilities: Code Signing Certificates, Obfuscated Files or Information: Software Packing, Gather Victim Org Information: Identify Roles, Application Layer Protocol: Web Protocols,Īrchive Collected Data: Archive via Utility,īoot or Logon Autostart Execution: Registry Run Keys / Startup Folder,Ĭommand and Scripting Interpreter: Visual Basic,Ĭommand and Scripting Interpreter: PowerShell,Ĭommand and Scripting Interpreter: Windows Command Shell,ĭevelop Capabilities: Code Signing Certificates,Įncrypted Channel: Symmetric Cryptography,Įstablish Accounts: Social Media Accounts,Įxfiltration Over Web Service: Exfiltration to Cloud Storage,
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |