Insights, news, education and announcements from PolySwarm

North Korean Threat Actors Living Off the Land

Written by PolySwarm Tech Team | Oct 11, 2022 4:47:31 PM

Related Families: ZetaNile (BlindingCan), EventHorizon

Verticals Targeted: Media, Defense, IT Services, Aerospace

Executive Summary

Microsoft recently reported on North Korean threat actor group Lazarus using living off the land (LOTL) techniques to target multiple verticals. Weaponization of legitimate tools includes SSH clients PuTTY and KiTTY, as well as TightVNC Viewer, Sumatra PDF reader, and muPDF/Subliminal Recording installer.

Key Takeaways

  • North Korean threat actor Lazarus is living off the land, leveraging weaponized versions of legitimate open-source tools to deliver ZetaNile and EventHorizon malware.
  • The threat actors use social engineering and a job recruiting lure to target victims via LinkedIn and WhatsApp.
  • Legitimate tools weaponized by the threat actors include PuTTY, KiTTY, TightVNC Viewer, Sumatra PDF, and MuPDF/Subliminal Recording Installer.

The Campaign

Living off the land refers to a threat actor’s use of trusted, non-malicious system tools to spread malware. These can include administrative, forensic, and system tools already installed on the victim’s machine.

In this campaign, Microsoft observed Lazarus leveraging multiple legitimate open-source tools to live off the land. The threat actors used social engineering to target victims across multiple verticals in the US, UK, India, and Russia. The campaign was active as early as June 2022, with threat actors connecting with targets on LinkedIn. The threat actors posed as recruiters for the media, defense, aerospace, and IT services verticals and primarily targeted engineers and tech support professionals. They lured the victims to communicate via WhatsApp, which they used to deliver the malicious tools.

The threat actors used EventHorizon and ZetaNile (BlindingCan) malware in the campaign. ZetaNile uses C2 communications that can blend in with legitimate traffic. Once a victim was successfully compromised, the threat actors moved laterally and stole information.

Weaponized Tools

Lazarus weaponized multiple legitimate open-source tools, as described below.

PuTTY

PuTTY is a legitimate open-source SSH and telnet client for Windows and Unix systems. The weaponized version leveraged by Lazarus uses scheduled tasks to establish persistence on a victim machine. It installs EventHorizon malware.

KiTTY

KiTTY is a legitimate open-source SSH and telnet client, which is a fork from version .76 of PuTTY. KiTTY is only developed for Windows. Lazarus only recently began using a weaponized version of KiTTY in their arsenal. It is used to deliver an EventHorizon/ZetaNile payload. The threat actor uses DLL search order hijacking to load malicious DLL files that perform tasks within the context of legitimate Windows processes.

TightVNC Viewer

TightVNC Viewer is a legitimate remote desktop application that allows a user to access and control another machine via remote desktop. Lazarus has been using a weaponized version of TightVNC Viewer since at least September 2022. The weaponized payload was delivered in conjunction with a weaponized SSH utility. It has a pre-populated list of remote hosts and is configured to install a backdoor when the victim selects the remote host ec2-aet-tech.w-ada[.]amazonaws.

Sumatra PDF

Sumatra PDF reader is a legitimate open-source document viewer supporting multiple formats, including PDF, CHM, DjVu, EPUB, FB2, MOBI, PRC, and others. Lazarus has used a weaponized version of Sumatra PDF since at least 2019. It is a modularized loader that can install ZetaNile by loading a weaponized file masquerading as a job application PDF.


MuPDF/Subliminal Recording Installer

MuPDF is a legitimate open-source PDF, XPS, and Ebook viewer. It supports PDF, XPS, OpenXPS, CBZ, EPUB, and FB2 file formats and allows the user to annotate PDF documents. The library is written in portable C, meaning it is extensible, allowing developers to add additional functionality. It also has a Java library, making it compatible with Java and Android. Lazarus uses a weaponized version of MuPDF to deliver EventHorizon as second-stage malware.


Who is Lazarus?

Lazarus, also known as Zinc, Dark Seoul, Labyrinth Chollima, and APT 38, is a state-sponsored threat actor group likely affiliated with North Korea’s Reconnaissance General Bureau. The group’s members are reportedly trained in malware and espionage operations in Shenyang, China. Lazarus is known for espionage activity, disruptive activity, and financially motivated attacks. Lazarus TTPs include DDoS attacks, wiper malware, botnets, keyloggers, living off the land, LoLbins, and RATs.


The group’s first known activity was Operation Troy, an espionage campaign targeting the South Korean government. The group has been active since at least 2009. Lazarus group’s espionage activity is in line with intelligence collection requirements for the North Korean government, targeting South Korea, the US, and other nations. Lazarus is thought to be responsible for the 2014 Sony Pictures attack and the 2017 WannaCry ransomware campaign. Lazarus has also targeted banks in Ecuador, Vietnam, Bangladesh, Mexico, Poland, and Taiwan and has been known to steal cryptocurrency. In 2020, Lazarus was reportedly responsible for an attack on multiple pharmaceutical companies, including AstraZeneca.

IOCs

PolySwarm has multiple samples associated with this activity.


1492fa04475b89484b5b0a02e6ba3e52544c264c294b57210404b96b65e63266

63cddab76e9d63e3cbea421b607342735d924e462c40f3917b1b5fbdf8d4a20d


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports