Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

How the Lazarus Group Targets Fintech

07 maart 2023

door NCC Group

In this article

  • NCC Group has identified a cyber campaign targeting fintech companies and attributes it to the North Korean threat actor Lazarus.

  • The goals are unclear, but the activities suggest that cyber espionage is the primary motivation for the group.

  • This article offers a run-down of the Lazarus group’s modus operandi on this fintech campaign.

During the past 18 months, NCC Group’s CIRT team and Research and Intelligence Fusion Team have identified a campaign targeting companies in the financial sector across the globe, which we attribute with high confidence to the Lazarus group, a North Korean threat actor. Learn more about the Lazarus group in our portrait here

Cyber espionage appears to be the primary motivation behind this campaign, and we have not observed activities indicating intent to extort or sabotage the victims. Most of the companies targeted are involved in financial technology (fintech) innovation or stock market trading. The type of businesses targeted might indicate interest in, for instance, cryptocurrency, crypto tokens, sensitive data, or algorithms for the perpetrator’s financial benefit.

Initial access: Getting in with phishing

The threat actor primarily used phishing to gain credentials of user accounts at target businesses. The phishing quality was relatively high compared to other phishing activities we observe, suggesting the threat actor had invested considerable time to maximize their chances of success. If you want to learn more about various phishing techniques, check out this blog post.

We uncovered technical artifacts that indicated that the threat actor could circumvent two-factor authentication by stealing session tokens. This technique manifested itself as a legitimate user login, including two-factor authentication followed shortly after that by another successful login from a different IP address that skipped the two-factor authentication by presenting the valid session token from the first login. Our findings include previously unreported tools for stealing session tokens from web browsers, which we believe the threat actor used for this two-factor authentication bypass.

In one case, a personal device running Windows 10, not managed by the victim business, appears to have been used as a staging point for the session token and user credential theft mentioned earlier. The personal device was out of scope of our investigation due to privacy concerns, so we have not been able to determine whether that was part of an elaborate plan of attack or merely a coincidental non-targeted infection the threat actor was able to leverage. 

Get monthly updates on the latest threat intel straight in your inbox.

Sign up for our Threat Pulse newsletter.

Next up: Privilege escalation

We observed two noteworthy privilege escalation techniques in this campaign.

We found traces indicating the threat actor achieved privilege escalation through DLL hijacking on Windows hosts. The threat actor applied a combination of the IKEEXT service and the VIAGLT64.SYS driver, which is known to be vulnerable, as noted in CVE-2017-16237.

The threat actor also modified the registry on Windows systems to enable the WDigest authentication provider, causing passwords to be stored in memory in plaintext form, making it easier to harvest those credentials.

Maintaining foothold: Persistence techniques

We observed the threat actor using two common persistence techniques. The first was the creation of scheduled tasks to execute malicious binaries at regular intervals. The second was the configuration of Windows hosts to start compromised services at each system restart automatically.

Circumventing detection: Defense evasion techniques

Besides common methods of blending in with regular activity on the victims’ networks, including the use of valid accounts and already present tools such as SSH, the threat actor employed several noteworthy defense evasion techniques.

 

We found a custom tool for selectively wiping individual log entries from log files if they contain a given IP address on Linux systems. This tool allows the adversary to efficiently remove traces of network activity in bulk, such as connections to and from C2 servers.

 

On Windows systems, we observed the threat actor modifying Microsoft Defender for Endpoint’s settings to exclude scanning of the entire C: drive. That modification effectively excludes all files on the operating system’s primary file system from being scanned and blocked even if they are malicious or suspicious.

Command-and-control: Here come the RATs (Remote Access Trojans)

The threat actor used several custom Remote Access Trojans (RATs) to perform activities on compromised hosts. The RATs that we analyzed all appeared to be members of a cross-platform malware family, indicated by their large functional overlap, code similarities, and nonfunctional code remnants after porting from one operating system to another.

The RATs implement a command-and-control protocol similar to one we uncovered during an unrelated campaign we attributed to Lazarus in 2016. They use HTTPS as a base communication channel and add an extra layer of custom encryption.

Time for exfiltration

We found command-and-control commands showing that the attackers were actively browsing folders and retrieving files, including network security information. We used Windows’ system resource utilization monitor (SRUM) to identify the activity of malicious binaries. SRUM tracks network usage of processes, among other things. SRUM does not seem to be used often by incident response teams, but with this tool, we could determine connections to the attackers’ identified command and control hosts and the amount of data sent and received.

The work of the Lazarus group

We attribute this cluster of activity to the Lazarus group with high confidence based on a combination of indicators, two of which we can share here. One of them is the strong overlap between the code in these malware samples and the previously identified code that originated from an earlier Lazarus campaign.

The filenames of the command-and-control server are another indicator. They were either the same or had apparent similarities to those reported by KrCERT (Korean Computer Emergency Response Team) related to Operation Bookcodes which Kaspersky attributed to the Lazarus group in their Q2 2020 APT Trends report.

The MO is clear, but what about the goals?

One of the most challenging things in cybersecurity is to detect precisely what data has been copied and siphoned off; after all, nothing has disappeared. It is also impossible to say with certainty what the attackers were after. As indicated, we also had to assume in some cases what the threat actor had done to penetrate certain defenses.  

The attackers’ goal remains unclear. Some of the businesses affected by this Lazarus campaign are active in cryptocurrency trading, so it may be possible that the attackers were after crypto assets. However, our investigation did not reveal any evidence of this.

Another possibility is that they wanted to steal the targets’ trading algorithms. However, our investigation found no clues of that either, and we have never been able to link Lazarus to crypto market manipulation. The question, moreover, is how those trading algorithms would help Lazarus - or, more broadly, North Korea. After all, Lazarus would have to work through third parties to be able to manipulate trades. The crypto markets are large, the algorithms are relatively generic, and the effects of manipulation would probably be small. 

In this case, it is also conceivable that Lazarus could have siphoned off data about the target businesses’ networks. For example, data about what equipment is running and which vendors provide the equipment. This might be valuable information if the attackers want to come back at a later stage, for example if they think that the business in question will engage in interesting crypto activities in the future. 

Want to know how best to prevent a Lazarus-style attack?

Read our recommendations in our blog post or watch our Threat Monitor webinar where we shine a light on the Lazarus group.