Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies - Intezer

Blog

Cybersecurity DNA

Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies

Jay Rosenberg
28.03.18 | 2:39 pm
Share:
FacebookTwitterLinkedIn

Introduction

Cyber attacks from the Lazarus Group, a threat actor associated with North Korea, has not slowed down and their malware toolset continues to evolve. A few months ago, we published a general research of the Lazarus Group and the Blockbuster campaign including code reuse and similarities throughout their malware up until the latest news regarding targeting bitcoin and cryptocurrency exchanges. In recent attacks, the Lazarus Group has been spreading malicious documents with a RAT embedded inside that gets executed through a VBA  macro. These malicious documents contained a job description for different positions in various industries.

Through our research, we came across a new malicious document where we have found changes and a continuation to their campaign targeting potential cryptocurrency exchanges, FinTech, financial companies, and others who might be involved with cryptocurrencies. The malicious document came embedded with an upgraded and revamped version of a RAT they have added to their arsenal.

 

Infection Vector

The malicious document’s original creation name is “Investment Proposal.doc” and attempts to impersonate an employee of an Australia based law firm for commercial and financial services named Holley Nethercote. The document states that they have evaluated several cryptocurrencies and they have put together an investment proposal aimed at FinTech, financial, and other companies who might be interested in taking an investment. As can be seen in the photos of the document below, the document is of very low quality, meaning there are inconsistencies and typos everywhere in a document supposedly from a law firm.

 

 

The first page contains a basic description of what the investment proposal involves. Take note of the name “Kate Harris,” a director from Holley Nethercote, by whom the document was supposedly written.

 

 

The second page is a general description of the company Holley Nethercote which is directly taken from the first page of a PDF on the company’s website

 

 

The third page is a list of their employees and staff as can also be found on their website. Remember Kate Harris, the director, from before? Shockingly enough, she does not exist on this list.

 

 

The fourth page contains a chart of various cryptocurrencies and random values associated with them. The interesting point here is the date of a Bitcoin price that it mentions from February 9th, 2018 which helps us put on a timeline of when this malicious document was originally created.

 

 

The fifth page states how they would like to invest $50M in the company that received this document and contains some typos like “out” instead of “our” and other grammatical errors.

 

The sixth page is a very poorly written document supposedly signed by the CEO of Holley Nethercote involving the investment proposition. It also contains various typos and grammatical errors with the general flow not making sense.

 

 

The seventh and last page contains some fake contact information including a phone number from the UK that is from an online service that allows you to receive an SMS through the website.

Technical Details

Upon launching the document, an obfuscated VBA macro is executed to drop and execute an embedded remote access tool.

(embedded VBA macro)

The embedded RAT is dropped to and executed from %USERPROFILE%\RuntimeBroker.exe. More evidence besides the date in the content of the document, pointing to this malware out in February is that we can also see the compilation timestamp is from February 14, 2018 and the upload date was on March 2, 2018.

After uploading the RAT to Intezer Analyze™, we found 4% of the code to have been used in previous malware attributed to the Lazarus group, but 85% of the code base is completely unique. This says to us that they made some changes to their code.

 

(https://analyze.intezer.com/#/analyses/ffb3993e-d646-42ad-8449-104d751cc17b)

 

The first code that gets executed within the RAT first decrypts a locally created, XOR encrypted buffer of names of modules and imports that it resolves via GetProcAddress. Resolving the binary’s own imports in this manner is very common in many of the previous Lazarus attributed malware.

 

 

 

Next, the RAT creates a shortcut of itself to %USERPROFILE%\Start Menu\Programs\Startup\RuntimeBroker.lnk in order to maintain persistence and sets the attributes of itself using SetFileAttributesW to HIDDEN | SYSTEM | NORMAL. Inside of the function that is used for setting up the persistence, we can find a call to a function that is responsible for decrypting a buffer containing multiple wide strings used throughout the binary.

 

 

As can be seen in the function, it uses a very basic decryption routine to decrypt the locally stored buffer. The decrypted buffer is as follows:

 

 

The parameter to the function responsible for decrypting this buffer is an offset to grab a string from this decrypted buffer by multiplying it by two, since these are wide strings.

Strangely enough, a lot of these strings are not used anywhere in the binary. By the strings, you can see there is an intention of including a simple anti-VM technique to detect VirtualBox. There is also one more function located within the binary, responsible for the same functionality with a different buffer containing different strings.

 

 

Following all of this, the RAT then creates a backdoor which then waits to receive commands from the various C&C servers.

 

 

 

The C&C handler used to follow a pattern of command IDs but it appears to have changed to random command values and contains commands with new functionality. Their handler is able to handle 22 different commands and the descriptions of each can be found in the chart below.

 

Command ID

Functionality

0xF4004A Execute cmd.exe and output results to temp file or retrieve CD via GetCurrentDirectoryW.

Cmd.exe /c “<cmd> > <temp file>” 2>&1

0x460017 Collect various information about the hard drive such as the space and volume information
0x7C00E6 Collect various information about the computer such as the computer name, username, host name, and more.
0x6400E5 Creates new process via CreateProcessW
0xBE007B Collect data about running processes by traversing the process list via CreateToolhelpSnapshot32 related APIs
0x8500AF Terminates a process by name
0xC004B Gets specific file(s) data such as filenames, times, and attributes
0xD7007C Collects a file and sends it to the C&C
0x3300E2 Zips file(s) to temp and sends archive to C&C
0x9D00B0 Write a file received from the server
0x200DF Write a 5mb file with random bytes
0x2E0016 Deletes files
0x6C00AE Overwrites entire file(s) contents with 0xCC and then deletes the file
0xFD0013 Recursively traverse directory collecting file information
0x3C00AB Checks if socket write access is valid to a given address
0x4B00E3 Sets file(s) time via SetFileTime
0xE50012 Configuration
0x5400AC Updates socket configuration
0x1B00E1 Renames file and sets attributes
0x750077 Elevate process privileges
0xCC0010 Inject code received by server into process
0x150014 Pong response to ping

 

The binary uses wolfSSL to encrypt the network traffic containing two different certificates and one private key. The certificates are stored in a local buffer of a function located within the binary.

 

-----BEGIN CERTIFICATE-----

MIIDYjCCAkqgAwIBAgIIAT8TuSzaBG4wDQYJKoZIhvcNAQELBQAwZjELMAkGA1UE

BhMCVVMxGTAXBgNVBAoMEEdsb2JhbFNpZ24gbnYtc2ExPDA6BgNVBAMMM0dsb2Jh

bFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0EgLSBTSEEyNTYgLSBHMjAi

GA8yMDE3MDkyNDA3MDMzOFoYDzIwMTkwMjA3MDcwMzM4WjBmMQswCQYDVQQGEwJV

UzEZMBcGA1UECgwQR2xvYmFsU2lnbiBudi1zYTE8MDoGA1UEAwwzR2xvYmFsU2ln

biBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBDQSAtIFNIQTI1NiAtIEcyMIIBIjAN

BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRCW804H0ryTXUQ8bY1

n9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3Jcncy6sqQu2lSEAMv

qPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2nonqNOCkcrMft8nyV

sJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4fcnlwtfaQG/YIdxz

G0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1oGP1Vi+jJtK3b7Fa

F9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zYKLNLve02eQIDAQAB

oxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA261N1CtZuZ4Mf

5Q+KghudGcp+sG2X1UzQ8eZqYK+6xmIClKWSQ3EhWB19zor2dOOb2fRJ4iw72Lhy

cH57R84whQSqqY9tqjwwulavMAzdBlz3RqsnAqdL5C6jeEfJmxmymH4Jz6kqJbCh

H1LVp6ToJ+lYA0QoCxkMqe6jCWE5K8QefM/kx8WhROJTdHHUKjFXFmon/fIJUAxo

SesxW3+YPeY7zzBUIjh0lYMhiyvXMDIMLo9zewR2nfi3aAa+APwAulTjm46dbH4K

cn7jc8IOt954R5jakc0AhtSZUHlPqKKHZy19iDfpcoFA7L/WuiNkfYPvN6eaxAvA

b3dxfi8N

-----END CERTIFICATE-----




-----BEGIN CERTIFICATE-----

MIIDgTCCAmmgAwIBAgIIAUyTG93zLTEwDQYJKoZIhvcNAQELBQAwZjELMAkGA1UE

BhMCVVMxGTAXBgNVBAoMEEdsb2JhbFNpZ24gbnYtc2ExPDA6BgNVBAMMM0dsb2Jh

bFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0EgLSBTSEEyNTYgLSBHMjAi

GA8yMDE3MDkyNDA3MDUyMVoYDzIwMTkwMjA3MDcwNTIxWjCBljELMAkGA1UEBhMC

VVMxEDAOBgNVBAgMB05ld1lvcmsxEzARBgNVBAcMClJpdmVyIFZpZXcxIzAhBgNV

BAoMGldpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMuMRgwFgYDVQQDDA8qLndpa2lw

ZWRpYS5vcmcxITAfBgkqhkiG9w0BCQEWEmluZm9Ad2lraXBlZGlhLm9yZzCCASIw

DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2q

KlIHR9amNrIHMo7Quml7xsNEntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEe

e5sDR5q/Zcx/ZSRppugUiVvkNPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0Ybf

N1EbDKE79fGjSjXk4c6W3xt+v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaD

uh5AciIX11JlJHOwzu8Zza7/eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbb

bfqsu/8lTMTRefRx04ZAGBOwY7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEA

ATANBgkqhkiG9w0BAQsFAAOCAQEAGjef4dfuIkF7MdfLs4x5KqzM4/5+h1lS+SWS

ojTaAuH2++1pGgVV4vfGB9QVxoTDkcp5wWjw184x+P19Fjio+ucUUOmFmD7BERXX

V4NZMv/TwucAbRIb6/FRv13Koigi05tIhXesownpbMZq7p6I9P9GAd/Uu7XCMTPO

UHpuTtNoI+tjwwBhZK0XXp5ORdHKWbXfLXQgiCXLPJntKdrRnUzJpXvYQzTeZKxf

dQmjS8QN8IFtvBuprb3grAhm/wV+ueerTcM/wyBOu/7gg0J7CsjztqtomIHYAbpi

x5pf3b6mzKG72ibnaKgL29wur5Cs+8in9d8/kOxgTpWbzZc35A==

-----END CERTIFICATE-----




-----BEGIN RSA PRIVATE KEY-----

MIIEpAIBAAKCAQEAwwPRK/45pDJFO1PIhCsqfHSavaoqUgdH1qY2sgcyjtC6aXvG

w0Se1IFI/S1oootnu6F1yDYsStIb94u6zw357+zxgR57mwNHmr9lzH9lJGmm6BSJ

W+Q098WwFJP1Z3s6enjhAVZWkaYTQo3SPECcTO/Rht83URsMoTv18aNKNeThzpbf

G36/TpfQEOioCDCBryALQxTFdGe0MoJvjYbCiECZNoO6HkByIhfXUmUkc7DO7xnN

rv94bHvAEgPUTnINUG07ozujmV6dyNkMhbPZitlUJttt+qy7/yVMxNF59HHThkAY

E7BjtXJOMMSXhIYtVi/XFfd/wK71/Fvl+6G60wIDAQABAoIBAQCi5thfEHFkCJ4u

bdFtHoXSCrGMR84sUWqgEp5T3pFMHW3qWXvyd6rZxtmKq9jhFuRjJv+1bBNZuOOl

yHIXLgyfb+VZP3ZvSbERwlouFikN3reO3EDVou7gHqH0vpfbhmOWFM2YCWAtMHac

PM3miO5HknkLWgDiXl8RfH35CLcgBokqXf0AqyLh8LO8JKleJg4fAC3+IZpTW23T

K6uUgmhDNtj2L8Yi/LVBXQ0zYOqkfX7oS1WRVtNcV48flBcvqt7pnqj0z4pMjqDk

VnOyz0+GxWk88yQgi1yWDPprEjuaZ8HfxpaypdWSDZsJQmgkEEXUUOQXOUjQNYuU

bRHej8pZAoGBAOokp/lpM+lx3FJ9iCEoL0neunIW6cxHeogNlFeEWBY6gbA/os+m

bB6wBikAj+d3dqzbysfZXps/JpBSrvw4kAAUu7QPWJTnL2p+HE9BIdQxWR9OihqN

p1dsItjl9H4yphDLZKVVA4emJwWMw9e2J7JNujDaR49U0z2LhI2UmFilAoGBANU4

G8OPxZMMRwtvNZLFsI1GyJIYj/WACvfvof6AubUqusoYsF2lB9CTjdicBBzUYo6m

JoEB/86KKmM0NUCqbYDeiSNqV02ebq2TTlaQC22dc4sMric93k7wqsVseGdslFKc

N2dsLe+7r9+mkDzER8+Nlp6YqbSfxaZQ3LPw+3QXAoGAXoMJYr26fKK/QnT1fBzS

ackEDYV+Pj0kEsMYe/Mp818OdmxZdeRBhGmdMvPNIquwNbpKsjzl2Vi2Yk9d3uWe

CspTsiz3nrNrClt5ZexukU6SIPb8/Bbt03YM4ux/smkTa3gOWkZktF63JaBadTpL

78c8Pvf9JrggxJkKmnO+wxkCgYEAukSTFKw0GTtfkWCs97TWgQU2UVM96GXcry7c

YT7Jfbh/h/A7mwOCKTfOck4R1bHBDAegmZFKjX/sec/xObXphexi99p9vGRNIjwO

8tZR9YfYmcARIF0PKf1b4q7ZHNkhVm38hNBf7RAVHBgh58Q9S9fQnmqVzyLJA3ue

42AB/C8CgYAR0EvPG2e5nxB1R4ZlrjHCxjCsWQZQ2Q+1cAb38NPIYnyo2m72IT/T

f1/qiqs/2Spe81HSwjA34y2jdQ0eTSE01VdwXIm/cuxKbmjVzRh0M06MOkWP5pZA

62P5GYY6Ud2JS7Dz+Z9dKJU4vjWrylznk1M0oUVdEzllQkahn831vw==

-----END RSA PRIVATE KEY-----

 

Conclusion

As we can see, the Blockbuster campaign and the Lazarus group are still active and have shown a continued interest in cryptocurrencies and companies surrounding cryptocurrency. Numerous exchanges are believed to have been hacked by the Lazarus group and there has been a significant amount of money stolen by doing so. Since their efforts have been so successful, it does not look like they will slow down anytime soon with these types of targets.

 

IoCs

Malicious Document – 6b424d75445b3dabfb9b20895d0a1ce1430066ce7f3fcd87aa41fa32260ff92d

RAT – f8b329fc1f4d50f5509a72c1f630155538f4d2c6e49b80ce4841fada6547c4bd

 

C&Cs

182.56.5.227

222.122.31.115

66.99.86.8

210.61.8.12

62.215.99.90

 

By Jay Rosenberg

Jay Rosenberg is a self-taught reverse engineer from a very young age (12 years old), specializing in Reverse Engineering and Malware Analysis. Currently working as a Senior Security Researcher in Intezer.

Share:
FacebookTwitterLinkedIn

Register to our free community

© Intezer.com 2017 All rights reserved