In the ASEC blog post uploaded on April 2022 (New Malware of Lazarus Threat Actor Group Exploiting INITECH Process, https://asec.ahnlab.com/en/33801/), the team discussed the fact that the Lazarus attack group had been exploiting the INITECH process to infect systems with malware.
This article aims to cover the details of the Lazarus group using the watering hole technique to hack into systems before exploiting the vulnerability of the MagicLine4NX product from Dream Security in order to additionally hack into systems in the internal network, and also using vulnerable drivers to disable anti-malware software.
Initial Compromise
The attacker uses the watering hole method to infiltrate the target system. After hacking into a Korean website, they manipulate the content of the website. Seeing that this is only activated when accessing the website from certain IPs, it is deemed that specific corporations or organizations are being targeted.
When a user PC using a vulnerable INISAFECrossWebEX accesses the website through a web browser, the Lazarus malware (SCSKAppLink.dll) is downloaded from the malware distribution website and executed via the INISAFECrossWebEXSvc.exe vulnerability.
Because a version of the INISAFECrossWebEXSvc.exe process which is vulnerable to malware infection is being exploited, PCs that use this software must have the latest patch applied, and if not in use, delete the software.
Accessing the Internal System
Exploiting the MagicLine4NX Vulnerability
The attacker uses the vulnerability of MagicLine4NX (a solution that performs the feature of certificate verification and encryption and decryption of electronic signatures and data) to gain access to the internal system.
In MagicLine4NX 1.0.0.17 or earlier versions, there exists a CVE-2021-26606 vulnerability (https://krcert.or.kr/data/secInfoView.do?bulletin_writing_sequence=36173). This vulnerability is a buffer overflow vulnerability, where an arbitrary command can be sent remotely and inflict damage such as malware infection.
The attacker uses the MagicLine4NX process to inject a malicious thread into ftp.exe to perform malicious behaviors. ftp.exe is used, because MagicLine4NX has a feature to call input applications according to protocols (http, ftp), and as this feature is used in vulnerability attacks, it is likely that a malicious thread is injected into ftp.exe.
According to the Symantec blog post (Lazarus Targets Chemical Sector, Apr 14, 2022 https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical), it has been identified that the Lazarus group uses WMI to call MagicLine4NX from a remote system before injecting a malicious thread.
The attacker exploits vulnerable MagicLine4NX to dominate the system in the internal network, so users who are using MagicLine4NX 1.0.0.17 or earlier must update it to the latest version.
RDP Access
The attacker also uses RDP to access the internal system. After gaining access, they perform the following malicious behaviors.
First, a backdoor is generated to maintain control and allows the TCP 60012 port in the host firewall, through which the backdoor will communicate. Afterward, the backdoor file is created and registered as a service to maintain control. Then, the rootkit malware along with vulnerable DLL and drivers are created to disable security software.
Accessing SSH
The attacker also attempts to log in to the SSH server of systems in the internal network with a root account.
Disabling V3 via Malware
Using the BYOVD Method
In order to disable the security software of the system, the attacker uses the BYOVD (Bring Your Own Vulnerable Driver, an attack using vulnerable driver modules) technique. BYOVD is a method of attack that exploits vulnerable driver modules of hardware supply companies. As it allows reading from and writing on the kernel memory area using the driver’s privilege, it can disable all monitoring programs in the system, including security software.
The disabling of security software using rootkit is covered in detail in the AhnLab ASEC blog post of September 22nd, “Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD” (https://asec.ahnlab.com/en/38993/).
Process of Disabling Anti-Malware Programs
- MagicLine4NX injects a malicious thread into ftp.exe.
- Ftp.exe creates the rootkit file.
- The rootkit creates vulnerable DLL and driver files, and registers them as a service.
- The rootkit loads the vulnerable DLL to pass the driver caller verification and obtains God Mode.
- In God Mode, the kernel area memory is modified, disabling the anti-malware programs.
Changes to the Operating Method of Rootkit
It has been identified that the attacker uses various methods to activate rootkit.
- Malicious behaviors are performed with the rootkit malware module loaded onto a running process
- The rootkit malware directly performs the malicious behaviors as an independent process
It seems that the attacker is constantly improving their attack techniques.
Detecting and Blocking Behaviors that Disable Anti-Malware Programs
The process above that disables anti-malware programs is blocked by V3 as follows, so systems using V3 must have the “Behavior-based Detection” enabled in V3.
- InitialAccess/MDP.Event.M4419 (2022.09.21.01)
- InitialAccess/MDP.Event.M4422 (2022.08.08.02)
Malware Used by the Attacker
List of Normal Files or Exploited Files
Malware List
[Vulnerability Information]
[File Detection]
- Downloader/Win.LazarAgent (2022.05.04.02)
- Backdoor/Win.Lazardoor (2022.07.06.00)
- Downloader/Win.LazarShell (2022.05.04.02)
- Trojan/Win.Lazardoor (2022.05.04.02)
- Trojan/Win.LazarLoader (2022.06.22.03)
- Trojan/Win.LazarLoader (2022.07.11.03)
- Data/BIN.EncPe (2022.09.07.00)
- Trojan/Win.LazarLoader (2022.09.07.00)
- Backdoor/Win.Lazardoor (2022.09.07.00)
- Data/BIN.EncodedPE (2022.09.07.00)
- Trojan/Win.LazarLoader (2022.09.07.00)
- Trojan/Win.Lazardoor (2022.08.02.03)
- Rootkit/Win.Agent (2022.08.02.03)
- Trojan/Win.Agent (2022.09.16.02)
- Data/BIN.Encoded (2022.10.05.00)
- Data/BIN.Encoded (2022.10.05.00)
[File MD5]
- 8F39A7AFA14541B709FE950D06186944
- CA6C08B58A35D7FA581DFB419CE5B881
- 1EDBD7AA68B1818A1EA98C0362CE84C7
- 4D91CD34A9AAE8F2D88E0F77E812CEF7
- FA868A38CEEB46EE9CF8BD441A67AE27
- 43F218D3A4B2199468B00A0B43F51C79
- 1F1A3FE0A31BD0B17BC63967DE0CCC29
- B457E8E9D92A1B31A4E2197037711783
- 202A7EEC39951E1C0B1C9D0A2E24A4C4
- 97BC894205D696023395CBD844FA4E37
- CA9B6B3BCE52D7F14BABDBA82345F5B1
- 013B4C4E9387D8FE1EAB738C42C451DA
- 98E58A39EDE26AF7980ED4DE2873CAAB
- 8DA35C64FFBFE33A3435A3E8DC1A5A42
- C16A6178A4910C6F3263A01929F306B9
- 8543667917A318001D0E331AEAE3FB9B
[IP/URL]
Aside from strivemktsupporters[.]com(3.39.208.187), the following IPs are normal websites that have been used by the attacker as C2 but are still in service.
- hxxps://strivemktsupporters[.]com
- 3.39.208.187
- 222.118.225.33
- 211.110.1.17
- 20.194.29.89
- 119.207.79.175
- 61.100.5.186
- 110.10.189.167
- 14.63.165.32
- 211.110.1.93
- 182.252.138.31
- 114.207.112.19
- 203.233.72.35
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Source: https://asec.ahnlab.com/en/40830/