Lazarus

Lazarus Group Uses the DLL Side-Loading Technique (mi.dll)

While tracking the Lazarus attack group, the ASEC analysis team discovered that the attackers were using the DLL Side-Loading attack technique (T1574.002) by abusing legitimate applications in the initial compromise stage to achieve the next stage of their attack process. https://attack.mitre.org/techniques/T1574/002/ The DLL Side-Loading attack technique saves a legitimate application and a malicious DLL in the same folder path to enable the malicious DLL to also be executed when the application is run. In other words, it is a malware…

Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD

Since 2009, Lazarus Group, known to be a group of hackers in North Korea, has been attacking not only Korea but various countries of America, Asia, and Europe. According to AhnLab’s ASD (AhnLab Smart Defense) infrastructure, in early 2022, the Lazarus Group performed APT (Advanced Persistent Threat) attacks on Korea’s defense, finance, media, and pharmaceutical industries. AhnLab closely tracked these APT attacks and discovered that these attacks incapacitate security products in the attack process. An analysis of the attack process…

Lazarus Group Exploiting Log4Shell Vulnerability (NukeSped)

In December last year, the vulnerability (CVE-2021-44228) of Java-based logging utility Log4j became a worldwide issue. It is a remote code execution vulnerability that can include the remote Java object address in the log message and send it to the server using Log4j to run the Java object in the server. The ASEC analysis team is monitoring the Lazarus group’s attacks on targets in Korea. In April, the team discovered an attack group suspected of being Lazarus distributing NukeSped by…

New Malware of Lazarus Threat Actor Group Exploiting INITECH Process

The AhnLab ASEC analysis team has discovered that there are 47 companies and institutions—including defense companies—infected with the malware distributed by the Lazarus group in the first quarter of 2022. Considering the severity of the situation, the team has been monitoring the infection cases. In systems of the organizations infected with the malware, it was found that malicious behaviors stemmed from the process of INITECH (inisafecrosswebexsvc.exe), the security company. The team initially secured the following information of inisafecrosswebexsvc.exe from the…

Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)

This document is an analysis report on types of malware recently utilized by the Kimsuky group. The Kimsuky group is mainly known for launching social engineering attacks such as spear phishing. Judging by the names of the attached files, the group seems to be targeting those working in the fields related to North Korea and foreign affairs. According to the scan logs of AhnLab’s ASD infrastructure, the threat group has been mainly targeting personal users rather than companies, but has…