Description
[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094).
Techniques Used (TTPs)
- T1059.003 — Windows Command Shell (execution)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1202 — Indirect Command Execution (defense-evasion)
- T1048.003 — Exfiltration Over Unencrypted Non-C2 Protocol (exfiltration)
- T1001.003 — Protocol or Service Impersonation (command-and-control)
- T1584.004 — Server (resource-development)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1218.005 — Mshta (defense-evasion)
- T1010 — Application Window Discovery (discovery)
- T1587.001 — Malware (resource-development)
- T1134.002 — Create Process with Token (defense-evasion, privilege-escalation)
- T1021.004 — SSH (lateral-movement)
- T1098 — Account Manipulation (persistence, privilege-escalation)
- T1564.001 — Hidden Files and Directories (defense-evasion)
- T1485 — Data Destruction (impact)
- T1591 — Gather Victim Org Information (reconnaissance)
- T1106 — Native API (execution)
- T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1027.009 — Embedded Payloads (defense-evasion)
- T1012 — Query Registry (discovery)
- T1090.002 — External Proxy (command-and-control)
- T1027.013 — Encrypted/Encoded File (defense-evasion)
- T1104 — Multi-Stage Channels (command-and-control)
- T1046 — Network Service Discovery (discovery)
- T1005 — Data from Local System (collection)
- T1489 — Service Stop (impact)
- T1016 — System Network Configuration Discovery (discovery)
- T1588.004 — Digital Certificates (resource-development)
- T1573.001 — Symmetric Cryptography (command-and-control)
- T1082 — System Information Discovery (discovery)
- T1033 — System Owner/User Discovery (discovery)
- T1620 — Reflective Code Loading (defense-evasion)
- T1041 — Exfiltration Over C2 Channel (exfiltration)
- T1102.002 — Bidirectional Communication (command-and-control)
- T1560 — Archive Collected Data (collection)
- T1203 — Exploitation for Client Execution (execution)
- T1059.001 — PowerShell (execution)
- T1566.002 — Spearphishing Link (initial-access)
- T1074.001 — Local Data Staging (collection)
- T1036.003 — Rename Legitimate Utilities (defense-evasion)
- T1047 — Windows Management Instrumentation (execution)
- T1071.001 — Web Protocols (command-and-control)
- T1557.001 — LLMNR/NBT-NS Poisoning and SMB Relay (credential-access, collection)
- T1057 — Process Discovery (discovery)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1589.002 — Email Addresses (reconnaissance)
- T1561.001 — Disk Content Wipe (impact)
- T1491.001 — Internal Defacement (impact)
- T1588.002 — Tool (resource-development)
- T1547.009 — Shortcut Modification (persistence, privilege-escalation)
- T1059.005 — Visual Basic (execution)
- T1542.003 — Bootkit (persistence, defense-evasion)
- T1218.011 — Rundll32 (defense-evasion)
- T1583.006 — Web Services (resource-development)
- T1056.001 — Keylogging (collection, credential-access)
- T1571 — Non-Standard Port (command-and-control)
- T1132.001 — Standard Encoding (command-and-control)
- T1189 — Drive-by Compromise (initial-access)
- T1110.003 — Password Spraying (credential-access)
- T1204.002 — Malicious File (execution)
- T1553.002 — Code Signing (defense-evasion)
- T1218 — System Binary Proxy Execution (defense-evasion)
- T1560.002 — Archive via Library (collection)
- T1027.007 — Dynamic API Resolution (defense-evasion)
- T1070.004 — File Deletion (defense-evasion)
- T1090.001 — Internal Proxy (command-and-control)
- T1008 — Fallback Channels (command-and-control)
- T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
- T1562.001 — Disable or Modify Tools (defense-evasion)
- T1561.002 — Disk Structure Wipe (impact)
- T1583.001 — Domains (resource-development)
- T1562.004 — Disable or Modify System Firewall (defense-evasion)
- T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
- T1566.003 — Spearphishing via Service (initial-access)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1070 — Indicator Removal (defense-evasion)
- T1083 — File and Directory Discovery (discovery)
- T1574.013 — KernelCallbackTable (persistence, privilege-escalation, defense-evasion)
- T1055.001 — Dynamic-link Library Injection (defense-evasion, privilege-escalation)
- T1585.001 — Social Media Accounts (resource-development)
- T1021.001 — Remote Desktop Protocol (lateral-movement)
- T1529 — System Shutdown/Reboot (impact)
- T1124 — System Time Discovery (discovery)
- T1036.004 — Masquerade Task or Service (defense-evasion)
- T1070.006 — Timestomp (defense-evasion)
- T1070.003 — Clear Command History (defense-evasion)
- T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
- T1543.003 — Windows Service (persistence, privilege-escalation)
- T1021.002 — SMB/Windows Admin Shares (lateral-movement)
- T1585.002 — Email Accounts (resource-development)
- T1049 — System Network Connections Discovery (discovery)
- T1560.003 — Archive via Custom Method (collection)
Total TTPs: 92
Malware & Tools
Malware: AppleJeus, AuditCred, BADCALL, BLINDINGCAN, Bankshot, Cryptoistic, Dacls, Dtrack, ECCENTRICBANDWAGON, FALLCHILL, HARDRAIN, HOPLIGHT, HotCroissant, KEYMARBLE, MagicRAT, Proxysvc, RATANKBA, TAINTEDSCRIBE, TYPEFRAME, ThreatNeedle, Volgmer, WannaCry