Operation BlockBuster unveils the actors behind the Sony attacks

February 24, 2016 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Today, a coordinated coalition involving AlienVault and several other security companies led by Novetta is announcing Operation BlockBuster. This industry initiative was created to share information and potentially disrupt the infrastructure and tools from an actor named the Lazarus Group. The Lazarus Group has been responsible for several operations since at least 2009, including the attack that affected Sony Pictures Entertainment in 2014.

Part of our research on this actor was presented at the Kaspersky Security Analyst Summit (SAS) in Tenerife, Spain on February 9th, 2016 as a joint talk between AlienVault and Kaspersky’s Global Research and Analysis Team.

In the research that AlienVault and Kaspersky collaborated on, we attributed several campaigns to this actor. Armed with some of the indicators that US-CERT made public after the Sony attack, we continued to analyze different campaigns in 2015 that we suspected were being launched by the same actor. Eventually we were also able to attribute previous activity to the same attackers including:

Besides several campaigns were the Lazarus group has utilized wipers to perform destructive attacks, they have also been busy using the same tools to perform data theft and cyber espionage operations.

Today, as part of the Operation BlockBuster release, we want to share some of our findings and TTP’s from the Lazarus Group that allowed us to link and attribute all the campaigns and tools into the same cluster of activity. We highly recommend that you read the comprehensive report Novetta published today http://operationblockbuster.com [no longer available] that includes details on the project’s scope and the more than 45 malware families identified, and includes signatures and guidance to help organizations detect and stop the group’s actions.

Encryption/Shared keys

One of the key findings that gave us the opportunity to link several families to the same actors was finding a dropper that the attackers use. This dropper contains a compressed resource (ZIP) with the name “MYRES” that is protected by a password. The attackers have reused the same password in different occasions and we were able to find droppers containing different families used by the group.

This actor also reuses the code libraries they utilize to perform RSA encryption. We were also able to find the exact same public key in multiple variants.

Batch scripts

This actor often uses BAT files that share the same skeleton in order to delete the initial files after infection.

We have seem them reuse this technique across multiple droppers and payloads.

Obfuscation functions

The Lazarus Group uses a few different methods to obfuscate API functions and dynamically load them. One of them consist on using a simple XOR schema.


You can find other examples of API function obfuscation in the Novetta http://operationblockbuster.com [no loner available] report.

Network communications

This actor has different malware families in their toolset that implement a similar C&C protocol. The protocol looks like TLS but it is in fact a “fake” TLS protocol that mimics it.

One of the characteristics we have identified is how they choose the values for certain fields when generating “TLS” packets, especially the ClientHello packet.

We have identified different families exhibiting slightly different behaviors:

  • Using a static “Server Name” extension in the client_hello packet: “~!@#$%^&*()”

  • Choosing between “www.amazon.com” and “www.google.com” for the “Server Name” value.
  • Randomly choosing one of the following items for the “Server Name” value (this list can vary across different samples):

wwwimages2.adobe.com

www.paypalobjects.com

www.paypal.com

www.linkedin.com

www.apple.com

www.amazon.com

www.adobetag.com

windowslive.tt.omtrdc.net

verify.adobe.com

us.bc.yahoo.com

urs.microsoft.com

supportprofile.apple.com

support.oracle.com

support.msn.com

startpage.com

sstats.adobe.com

ssl.gstatic.com

ssl.google-analytics.com

srv.main.ebayrtm.com

skydrive.live.com

signin.ebay.com

securemetrics.apple.com

secureir.ebaystatic.com

secure.skypeassets.com

secure.skype.com

secure.shared.live.com

secure.logmein.com

sc.imp.live.com

sb.scorecardresearch.com

s1-s.licdn.com

s.imp.microsoft.com

pixel.quantserve.com

p.sfx.ms

mpsnare.iesnare.com

login.yahoo.com

login.skype.com

login.postini.com

login.live.com

l.betrad.com

images-na.ssl-images-amazon.com

fls-na.amazon.com

extended-validation-ssl.verisign.com

daw.apple.com

csc.beap.bc.yahoo.com

by.essl.optimost.com

b.stats.ebay.com

apps.skypeassets.com

api.demandbase.com

ad.naver.com

accounts.google.com

On the other hand, most of the samples we have analyzed communicate with IP addresses that are part of compromised infrastructure. Since the attackers don’t leverage domain names for C2 it makes it hard to pivot using whois data, and passive DNS. In addition, there is no way to sinkhole since there is no domain infrastructure.

Another example is the use of user-agent values that contain the misspelled “Mozillar” string.

Hangul HWP Document Exploits

Hangul is an office suite and word processing application mainly used in South Korea, especially in the government.

We have observed this actor launching spearphishing campaigns with malicious HWP documents as attachments.

An example is a campaign that was launched on September 2015 that used a zeroday vulnerability (CVE-2015-6585) in the Hangul Word processor which was reported by FireEye.

Based on obtained samples and decoy documents we observed that they were likely targeting a wide range of victims including government, industrial and political entities.


Sample decoy documents

Fake installers

It appears another vector the Lazarus Group uses to infect victims is distributing backdoored software. We have found a few samples using this technique but it is not quite clear to us how they were distributing the files.

An example is a backdoored version of a Remote Desktop Client:


Indicators of Compromise

As part of Operation BlockBuster, Novetta is sharing Yara rules and IOC’s that you can find at the following website:

Operation BlockBuster http://www.operationblockbuster.com/resources/index.html [no longer available]

In addition to that we are making the indicators of compromise available in our Open Threat Exchange:

https://otx.alienvault.com/pulse/56cdb68f4637f27567167dce/

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

TAGS:

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL CHAT