Lazarus’s Shadow: identifying six north korean threat groups

dark6
Read Time:1 Minute, 34 Second

Lazarus Group, a notorious Advanced Persistent Threat (APT) group, has been linked to the North Korean government and its intelligence agency. This group has engaged in a wide range of cybercriminal activities since 2009, targeting critical infrastructure, financial institutions, and corporations.
Six Threat Groups under the Lazarus Umbrella
Recent research by Palo Alto Networks has identified six distinct threat groups operating under the Lazarus umbrella:

  • Alluring Pisces (Bluenoroff)
  • Gleaming Pisces (Citrine Sleet)
  • Jumpy Pisces (Andariel)
  • Selective Pisces (TEMP.Hermit)
  • Slow Pisces (TraderTraitor)
  • Sparkling Pisces (Kimsuky)
    Malware Arsenal
    These North Korean threat groups have developed a sophisticated malware arsenal that targets multiple platforms, including Windows, macOS, and Linux. Notable malware families include:
  • RustBucket: A multi-stage macOS backdoor using AppleScript, Swift/Objective-C, and Rust
  • KANDYKORN: A five-stage macOS infection chain using Python scripts, SUGARLOADER, and HLOADER
  • OdicLoader: A Linux ELF downloader disguised as a PDF using Unicode character U+2024
  • CollectionRAT: A Windows RAT using the Microsoft Foundation Class library
    Command and Control
    The malware families employed by Lazarus Group utilize advanced techniques such as reflective loading, multi-stage payloads, and encrypted command and control (C2) communication. For instance, Comebacker uses HTTP POST requests with randomly generated parameter names for C2, while PondRAT targets both macOS and Linux systems.
    High-Profile Attacks
    Groups associated with Lazarus Group, such as Alluring Pisces (APT38), Gleaming Pisces, and Selective Pisces (ZINC), have executed high-profile attacks, including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware campaign.
    Mitigations
    To mitigate threats from Lazarus Group and other state-sponsored cyber actors, organizations should implement several security measures:
  • Regular security assessments
  • Endpoint protection and monitoring
  • Physical barriers for data networks
  • Multi-schema support
  • Comprehensive cyber strategies
  • Ongoing security training for staff
    Conclusion
    Lazarus Group remains a significant cybersecurity threat, with its sophisticated malware and targeted attacks. By understanding the threat landscape and implementing robust cybersecurity measures, organizations can protect themselves from these malicious actors.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *