ESET: Cybergroup Lazarus switched to Central America
Lazarus gained fame after a cyber attack on Sony Pictures Entertainment in 2014. In 2017, the group remains active using a wide range of malicious tools, including the KillDisk viper.
Our study found that Lazarus was very likely behind the attack on online casinos in Central America and some other targets at the end of 2017. In these incidents, attackers used the same tools, including KillDisk, which ran on compromised devices.

Lazarus hackers were first identified in a Novetta Operation Blockbuster report in February 2016; US CERT and the FBI called this cybergroup Hidden Cobra . The group became widely known after the attack on Sony Pictures Entertainment .
Subsequent attacks related to Lazarus attracted the attention of information security experts who relied on Novetta materials and other studies - hundreds of pages of descriptions of attacking tools: attacks on Polish and Mexican banks , the WannaCry epidemic , phishing attacks on US Department of Defense contractorset al. All of these studies identify Lazarus as a source of attacks.
Please note that the list of Lazarus tools (all files that information security experts associate with the group’s activity) is quite wide, and we believe that there are many of their subfamilies. Unlike the toolkits used by other cybergroups, the source code of Lazarus tools was never revealed as a result of a public leak.
In addition to special programs, Lazarus use projects available on GitHub or provided on a commercial basis.
In this section, we will look at some of the tools found on the servers and workstations of the online casino network in Central America and explain how they established their connection with Lazarus. ESET antivirus products detect group malware like Win32 / NukeSped and Win64 / NukeSped. They were used in conjunction with the KillDisk destructive software samples.
Almost all of these tools are designed to run as a Windows service. To do this, you need administrator rights, which means that attackers must have these rights during development or compilation.
The
Win64 / NukeSped.W TCP backdoor is a console application installed as a service on the system. One of the first steps in the execution is to dynamically load the required DLL names onto the stack:

Similarly, procedure names for the Windows API are built dynamically. In this particular pattern, they are visible in plain text; in other past samples that we analyzed, they were encoded in base64, encrypted, or placed on the stack character-by-character:

These signs are typical features of Lazarus malware. Another typical characteristic of the Lazarus backdoor is also visible in this backdoor: it listens to a specific port, which is an indicator of blocking by the firewall: The

backdoor supports 20 commands, the functionality of which is similar to the previously analyzed Lazarus samples (note that the command names here were not set by the attackers, but were created by the virus ESET Analyst):

The backdoor creates several files in the file system. The listening port is stored in a text file with the name

In the case of the "+" option, the output data
Session
Hacker The Win64 / NukeSped.AB console application creates a process on behalf of another user currently logged into the victim's system (similar to command number 17 from the previously described TCP backdoor).
This is the Themida protected version described by Kaspersky Lab. In our case, it was set as
A static view shows the same file properties in both of these samples: the same PE compilation timestamp, identical Rich Header linker data (pointing to the Visual Studio 2010 linker (10.00)), and part of the resource version information is the same:

Although the PE timestamp and resources are stolen from a legitimate Microsoft file
Our consistent dynamic analysis confirmed that this file, found in a compromised online casino network, is associated with a session cracker used in attacks on Polish and Mexican sites.
Bootloader / installer
This is a simple command line tool that accepts several options. It is designed to work with processes (inject / delete a process using a PID or name), services (terminate / reinstall a service) or files (reset / delete). Functionality is determined by the parameters.
KillDisk is the general name by which ESET products detect destructive malware with the function of erasing the disk - damage to boot sectors and overwriting, and then deleting (system) files, followed by a reboot, which makes the device unusable.
Despite the fact that all versions of KillDisk have similar functions, the code base of the samples does not always match. KillDisk has many subfamilies whose names differ by suffixes (in our case, Win32 / KillDisk.NBO). Variants of subfamilies with common code fragments are sometimes used in different cyber campaigns, which may indicate a common source of attacks, as in this case.
Other versions of KillDisk were used in targeted attacks on Ukrainian targets in December 2015 and December 2016., but these samples belong to other subfamilies and, most likely, are not related to new attacks.
Studying the incident in Central America, we found two variants of Win32 / KillDisk.NBO in a compromised network. More than a hundred machines in the organization were infected with malware. There are several possible explanations for its appearance: attackers could hide traces after the attack, or use KillDisk for extortion or cyber-sabotage. In any case, this is a large-scale infection within one organization.
Our telemetry data, as well as the simultaneous use of versions of Win32 / KillDisk.NBO and other well-known Lazarus tools in a compromised network, indicate that it was the Lazarus hackers who deployed KillDisk, and not some other cybergroup.
The analysis of the two samples showed that they have many common code fragments. In addition, they are almost identical to the version of KillDisk that was used in attacks on Latin American financial institutions studied by Trend Micro .
The KillDisk samples found on the online casino network use the following path: The
actual built-in payload is injected into the system process

One of the options is protected by commercial third-generation VMProtect, which makes unpacking difficult. Most likely, the attackers did not buy a VMProtect license, but used available pirated or leaked copies on the Internet. The use of software protection tools is typical for the Lazarus group: in attacks on Polish and Mexican banksin February 2017, they used the Enigma Protector; some Operation Blockbuster samples reported by Palo Alto Networks used an older version of VMProtect.
Typical Lazarus String Format
Among the many characteristics that allow us to attribute the authorship of the samples and the origin of the attacks to the Lazarus group, the string format should be noted. The table below shows the formatted strings found in the above samples, as well as in other TCP backdoors associated with Lazarus:

This fact alone cannot be evidence, but looking for similar string formatting in all samples of malware compiled by ESET, we found them only in samples presumably related to Lazarus. Therefore, we can assume that the presence of these lines indicates authorship of Lazarus.
There are at least two available tools that attackers have used.
Browser Password Dump
This tool is designed to recover passwords from popular web browsers. Since December 2014, he has been using old, well-known methods. It can be used in the latest versions of Google Chrome (64.0.3282.186), Chromium (67.0.3364.0), Microsoft Edge (41.16299.15.0) and Microsoft Internet Explorer (11.0.9600.17843). It is not compatible with the latest versions of Firefox or Opera.

Mimikatz
Attackers also used a modified version of the Mimikatz tool, designed to extract Windows credentials. It takes one parameter - the name of the file to store the output. If not specified, an output file called

Most of the tools described above were downloaded and installed on workstations using malicious droppers and bootloaders used in the initial stages of the attack. In addition, we saw indicators indicating the use of remote access tools, including Radmin 3 and LogMeIn, to monitor target devices.
A recent attack on an online casino in Central America suggests that Lazarus hackers will recompile the tools before each new campaign (we have not seen identical samples elsewhere). It was a complex multi-stage attack, in which dozens of protected tools were used, which, being autonomous, were unlikely to demonstrate such dynamics.
The use of KillDisk most likely served one of two purposes: attackers hid the traces after the espionage operation, or used destructive software to extort or sabotage. In any case, the detection of malware on more than 100 workstations and servers of the organization indicates significant resources spent by attackers.
Our study found that Lazarus was very likely behind the attack on online casinos in Central America and some other targets at the end of 2017. In these incidents, attackers used the same tools, including KillDisk, which ran on compromised devices.

Lazarus Tools
Lazarus hackers were first identified in a Novetta Operation Blockbuster report in February 2016; US CERT and the FBI called this cybergroup Hidden Cobra . The group became widely known after the attack on Sony Pictures Entertainment .
Subsequent attacks related to Lazarus attracted the attention of information security experts who relied on Novetta materials and other studies - hundreds of pages of descriptions of attacking tools: attacks on Polish and Mexican banks , the WannaCry epidemic , phishing attacks on US Department of Defense contractorset al. All of these studies identify Lazarus as a source of attacks.
Please note that the list of Lazarus tools (all files that information security experts associate with the group’s activity) is quite wide, and we believe that there are many of their subfamilies. Unlike the toolkits used by other cybergroups, the source code of Lazarus tools was never revealed as a result of a public leak.
In addition to special programs, Lazarus use projects available on GitHub or provided on a commercial basis.
Lazarus online casino attack tools
In this section, we will look at some of the tools found on the servers and workstations of the online casino network in Central America and explain how they established their connection with Lazarus. ESET antivirus products detect group malware like Win32 / NukeSped and Win64 / NukeSped. They were used in conjunction with the KillDisk destructive software samples.
Almost all of these tools are designed to run as a Windows service. To do this, you need administrator rights, which means that attackers must have these rights during development or compilation.
The
Win64 / NukeSped.W TCP backdoor is a console application installed as a service on the system. One of the first steps in the execution is to dynamically load the required DLL names onto the stack:

Similarly, procedure names for the Windows API are built dynamically. In this particular pattern, they are visible in plain text; in other past samples that we analyzed, they were encoded in base64, encrypted, or placed on the stack character-by-character:

These signs are typical features of Lazarus malware. Another typical characteristic of the Lazarus backdoor is also visible in this backdoor: it listens to a specific port, which is an indicator of blocking by the firewall: The

backdoor supports 20 commands, the functionality of which is similar to the previously analyzed Lazarus samples (note that the command names here were not set by the attackers, but were created by the virus ESET Analyst):

The backdoor creates several files in the file system. The listening port is stored in a text file with the name
%WINDOWS%\Temp\p
. The file %WINDOWS%\Temp\perflog.evt
contains a list of binary file paths for injection, execution, or writing to the registry, depending on the initial character of the string: 
In the case of the "+" option, the output data
cmd.exe / c «% s 2 »% s»
(or cmd.exe / c «% s »% s 2> и 1»
) is written to % WINDOWS% \ Temp \ perflog.dat
. Session
Hacker The Win64 / NukeSped.AB console application creates a process on behalf of another user currently logged into the victim's system (similar to command number 17 from the previously described TCP backdoor).
This is the Themida protected version described by Kaspersky Lab. In our case, it was set as
C:\ Users\public\ps.exe
. It has three parameters.A static view shows the same file properties in both of these samples: the same PE compilation timestamp, identical Rich Header linker data (pointing to the Visual Studio 2010 linker (10.00)), and part of the resource version information is the same:

Although the PE timestamp and resources are stolen from a legitimate Microsoft file
PREVHOST.EXE
from Windows 7 SP1, file link information is missing: the original Microsoft file was compiled and linked to Visual Studio 2008 (9.00). Our consistent dynamic analysis confirmed that this file, found in a compromised online casino network, is associated with a session cracker used in attacks on Polish and Mexican sites.
Bootloader / installer
This is a simple command line tool that accepts several options. It is designed to work with processes (inject / delete a process using a PID or name), services (terminate / reinstall a service) or files (reset / delete). Functionality is determined by the parameters.
KillDisk Versions
KillDisk is the general name by which ESET products detect destructive malware with the function of erasing the disk - damage to boot sectors and overwriting, and then deleting (system) files, followed by a reboot, which makes the device unusable.
Despite the fact that all versions of KillDisk have similar functions, the code base of the samples does not always match. KillDisk has many subfamilies whose names differ by suffixes (in our case, Win32 / KillDisk.NBO). Variants of subfamilies with common code fragments are sometimes used in different cyber campaigns, which may indicate a common source of attacks, as in this case.
Other versions of KillDisk were used in targeted attacks on Ukrainian targets in December 2015 and December 2016., but these samples belong to other subfamilies and, most likely, are not related to new attacks.
Studying the incident in Central America, we found two variants of Win32 / KillDisk.NBO in a compromised network. More than a hundred machines in the organization were infected with malware. There are several possible explanations for its appearance: attackers could hide traces after the attack, or use KillDisk for extortion or cyber-sabotage. In any case, this is a large-scale infection within one organization.
Our telemetry data, as well as the simultaneous use of versions of Win32 / KillDisk.NBO and other well-known Lazarus tools in a compromised network, indicate that it was the Lazarus hackers who deployed KillDisk, and not some other cybergroup.
The analysis of the two samples showed that they have many common code fragments. In addition, they are almost identical to the version of KillDisk that was used in attacks on Latin American financial institutions studied by Trend Micro .
The KillDisk samples found on the online casino network use the following path: The
C:\Windows\Temp\dimens.exe
actual built-in payload is injected into the system process
werfault.exe
: 
One of the options is protected by commercial third-generation VMProtect, which makes unpacking difficult. Most likely, the attackers did not buy a VMProtect license, but used available pirated or leaked copies on the Internet. The use of software protection tools is typical for the Lazarus group: in attacks on Polish and Mexican banksin February 2017, they used the Enigma Protector; some Operation Blockbuster samples reported by Palo Alto Networks used an older version of VMProtect.
Typical Lazarus String Format
Among the many characteristics that allow us to attribute the authorship of the samples and the origin of the attacks to the Lazarus group, the string format should be noted. The table below shows the formatted strings found in the above samples, as well as in other TCP backdoors associated with Lazarus:

This fact alone cannot be evidence, but looking for similar string formatting in all samples of malware compiled by ESET, we found them only in samples presumably related to Lazarus. Therefore, we can assume that the presence of these lines indicates authorship of Lazarus.
Additional tools
There are at least two available tools that attackers have used.
Browser Password Dump
This tool is designed to recover passwords from popular web browsers. Since December 2014, he has been using old, well-known methods. It can be used in the latest versions of Google Chrome (64.0.3282.186), Chromium (67.0.3364.0), Microsoft Edge (41.16299.15.0) and Microsoft Internet Explorer (11.0.9600.17843). It is not compatible with the latest versions of Firefox or Opera.

Mimikatz
Attackers also used a modified version of the Mimikatz tool, designed to extract Windows credentials. It takes one parameter - the name of the file to store the output. If not specified, an output file called
~Temp1212.tmp
stored in the same directory as Mimikatz. The output contains hashes of the Windows credentials of authorized users. The tool is often used in targeted attacks, in particular by the Telebots group in the Petya epidemic , as well as in Operation Buhtrap .
Infection vector
Most of the tools described above were downloaded and installed on workstations using malicious droppers and bootloaders used in the initial stages of the attack. In addition, we saw indicators indicating the use of remote access tools, including Radmin 3 and LogMeIn, to monitor target devices.
findings
A recent attack on an online casino in Central America suggests that Lazarus hackers will recompile the tools before each new campaign (we have not seen identical samples elsewhere). It was a complex multi-stage attack, in which dozens of protected tools were used, which, being autonomous, were unlikely to demonstrate such dynamics.
The use of KillDisk most likely served one of two purposes: attackers hid the traces after the espionage operation, or used destructive software to extort or sabotage. In any case, the detection of malware on more than 100 workstations and servers of the organization indicates significant resources spent by attackers.
Samples
429B750D7B1E3B8DFC2264B8143E97E5C32803FF Win32/KillDisk.NBO
7DFE5F779E46855B32612D168B9CC5334F25B5F6 Win32/KillDisk.NBO
5042C16076AE6346AF8CF2B40553EEEEA98D5321 Win64/NukeSped.W trojan (VMProtect-ed)
7C55572E8573D08F3A69FB15B7FEF10DF1A8CB33 Win64/NukeSped.W trojan (Themida-protected)
E7FDEAB60AA4203EA0FF24506B3FC666FBFF759F Win64/NukeSped.Z trojan (Themida-protected)
18EA298684308E50E3AE6BB66D7321A5CE664C8E Win64/NukeSped.Z trojan (VMProtect-ed)
8826D4EDBB00F0A45C23567B16BEED2CE18B1B6A Win64/NukeSped.AB trojan (Themida-protected)
325E27077B4A71E6946735D32224CA0421140EF4 Win64/Riskware.Mimikatz.A application
D39311C74DEB60C736982C1AB74D6684DD1E1264 Win32/SecurityXploded.T (VMProtect-ed)
E4B763B4E74DE3EF24DB6F19108E70C494CD18C9 Win32/SecurityXploded.T (Themida-protected)