BSidesCharm 2023 - It’s all Magic(RAT) – A look into recent North Korean nation-state attacks

foreign

[Music] welcome to the session I'm glad all of you are here to hear me out um I know it's the session is on on a Sunday at 3 P.M so I'm gonna try and keep this as simple and as interesting as possible I can't promise this is going to be a short session um and um all right let's start before we begin um I'm today I'm going to talk about a very interesting apt called Lazarus for those of us that don't know about Lazarus it's affiliated with North Korea so what better thing to do on a Sunday afternoon than talk about North Korean apt right an apt that we all love in cherish before we begin for those of you

that don't know me my name is ashir Malhotra I'm a threat researcher at Cisco Talos and I specialize in malware analysis threat intelligence and malware detection techniques this is my second time speaking at besides charm so yay all right thank you [Applause] and that's the end of my presentation thank you so much all right on the agenda today we are first going to talk about who and what Lazarus is then we're going to talk about a specific campaign that Lazarus conducted over the course of the past year in in 2022 I know there's some new disclosures in 2023 as well I'm not going to present on that but I'm going to certainly gonna talk to you about

that if you guys want me to um so as part of this campaign that we disclosed uh from back in 2022 um we discovered the kill chain that I'm going to illustrate today and I'm going to talk about their playbook as well I will give you specific examples of Hands-On keyboard activity that the operators from this APD group are known to perform now um Lazarus really likes building implants they build customized implants all the time and I'm gonna talk about three specific implants I promise it's going to be just three or maybe more but these three implants were pivotal to the success of their campaign and I'm gonna describe these three implants over the course of three different intrusion

sets which were all part of the same campaign then we're going to end with some key takeaways and some summary slides because um I was told I have to do that so um [Music] but Lazarus is very good for those of us that don't know what Lazarus is all right hold on how many of you know what an apt group is sweet all right so for those of us that don't know what an APD group is it's called an advanced persistent threat uh it's a state-sponsored hacking group that usually has the support and funding of government organization or a government uh that belongs to a specific country and they perform a variety of attacks uh you know all working towards

the benefit of a specific nation state Lazarus in particular also known as hidden Cobra APD 38 sometimes uh zinc also sometimes has been affiliated with North Korea by the industry far and wide it's been active since at least 2010. in terms of their goals they have a three-pronged approach they either conduct their campaigns to perform Espionage or for financial gain or to conduct disruptive attacks when it comes to the victimology of Lazarus everything is on the table all organizations are on the table they love to go after military organizations civilian government entities Finance media verticals critical infrastructure anything that they can get their hands on in terms of their distribution ttps tactics techniques and procedures

throughout the course of the past decade or so Lazarus has been known to um use a variety of techniques to distribute their malware so this includes spear phishing attacks social engineering people exploitation of known vulnerabilities and then most recently they decided to get into the supply chain attack game as well you know this year in terms of their malware and tooling they love to create new malware all the time there's almost like one implant every year I'm going to talk about three of their implants that we saw recently magic rat Yama bot and V single and I'm going to describe that over the course of three intrusion sets that being said they also like to use a lot of Open

Source tools and a lot of post exploitation Frameworks that are readily available out in the wild and I'm going to give a brief introduction about how they use it and you know what kind of tools they like to use all right let's talk about the campaign so this campaign that we discovered um back in early um 2022 and it made its way well into late 2022 as well uh was used to Target energy companies all across the world um the United States not North America and parts of Asia as well it consisted of three distinct intrusion sets well not distinct they were very similar uh in the way they were deployed but the key difference here was the

implants the final payloads that were being distributed as part of each intrusion set in the first intrusion set we saw an implant called V single being deployed onto infected endpoints and this was an instance where only V single was deployed I'm going to talk about we single as well but I just wanted to give you guys an introduction about it and V single was extensively used for performing Hands-On keyboard activity you know for searching for stuff enumerating stuff pivoting lateral movement and so on and so forth in the second intrusion set we saw the use of V single along with another malware family called Magic rat and when we discovered magic rat it was previously undisclosed

this was something new and um if you don't like the name you can blame me for it because I was the one who named it so um don't Don't Clap don't don't encourage me so what we saw in this intrusion set was that first of all we single was deployed and then the attackers for some reason decided that they didn't want to use when we single and that made way for magic rat and then magic rat became the de facto mechanism for long-term persistent access uh into that specific Network in the third intrusion set we saw the use of V single along with yet another malware implant called yamabot now this was not because this was not by choice

the deployment of Yama bot was not by choice as soon as they deployed we single it was detected they were like uh crap we gotta find something else so that is when they brought in yamabad and they started using that specific piece of malware for long-term persistent access all right let's go back now let's see how this uh entire cyber kitchen works and how this infection chain works all started with the exploitation of public facing vulnerable VMware servers they exploited the log 4J vulnerability you guys remember log4j all right and that a successful exploitation of the VMware servers then led to the establishment of a reverse shell they perform some preliminary tasks and then they went on to deploy

customized implants these customized implants were as I said be single magic rat and Yamaha what um then they decided to start instrumenting the custom implants to carry out a variety of activities on the infected endpoints and in the infected organizations this included creation of backdoor user accounts creating reverse tunnels lateral movement data exfiltration and so on and so forth so basically the whole deal now before we get into uh the typical infection chain I just want to present it a different way I want to talk about disabling defenses um you know in this day and age it sounds very rudimentary but it's it's an essential step that threat actors across the world any mature threat actor across

the world certainly does in one form or the other and that's what Lazarus did as well you know they try to get information about antivirus products and then you know they try to disable real-time monitoring try to create exclusions and so on and so forth is just preliminary tasks that they want to do before they actually introduce their custom built precious implants on an infected endpoint all right this is again what a typical infection chain looks like um the reason why I wanted to show you this diagram is because they didn't just use their customized implants uh for performing malicious activities on an endpoint they also used a variety of Open Source tools you know

something like impact it and and the reason why they used it is because uh between the custom implants and the open source tools there's like a 50 50 split in terms of capabilities you know something that the customized implant can do the open source tool may not be able to do and vice versa something that the open source tool can do the implant might not be able to do so they basically tried to make this a symbiotic relationship and um work both these components in conjunction with each other in order to carry out a number of different activities all right let's talk about V single first the reason I want to talk about V single is because we saw a lot of

Hands-On capability uh activity being performed via V single now B single is a malware family it's basically a rat family that on first look looks like another Lazarus family called d-track and D track is very popular with Lazarus you know they use it in a plethora of campaigns against different entities all across the world and when I started analyzing this um I realized that this is probably retract and then I started to peel across the layers and everything and then we found out that this was uh in fact V single which is a completely different implant from uh d-track d-track has two major categories of capabilities the first one is that it can create a reverse shell it's going to

basically spawn a command dot execmd.exe process is gonna start talking to it via named pipes and anything that it writes and reads it can send out to the command and control server this is a very basic reverse shell and this has been very popular for the longest time we we've seen these kind of reversials from the days of apt-1 as well another functionality that V single has is that it has the ability to deploy plugins and when I say plugins that means additional payloads in this case V single was able to deploy additional payloads in the form of in-memory Shell Code you know it goes out to the C2 server and it says hey I need something

to run and my processes memory and then send it a Shell Code that it runs inside of its own process and then it also had the ability to run certain different types of scripts so VB scripts javascripts and Powershell scripts I guess that it could get from the server and start to execute on the infected endpoint the use of plugins is uh and this is something of node if you've been following Lazarus for as long as I have um the use of plugins in customized implants is very typical of Lazarus they like to do this they like to have a modular structure and we've seen this in the past as well um Sometimes some of their plugins are

also ransomware so that's something to keep in mind all right so we have V single installed on the system what happens next right the the attackers have compromised the box they've done their preliminary actions they've disabled protections they've deployed V single what happens next what happens next is a series of Hands-On keyboard activity the first thing they do is they perform additional reconnaissance you know the usual CIS config ipconfig they query the user accounts they try to enumerate directories to find a list of installed programs they even run the time command to get an idea of what the time zone is and so on and so forth you know basically this this is an attempt to

fingerprint and profile the system before they take any further actions on it if they think that the system is worth having access to they will start creating mechanisms for um sorry alternate mechanisms for maintaining that access and what they basically do is they will create reverse shells and they will also start creating backdoor user accounts which they will then give administrative privileges so that in case their customized implant is burnt or if it's not able to talk to the command and control server they don't have to reinfect the Box all over again they already have access and they might just be able to Art appeal to it they also in the course of this campaign

Lazarus also had a very special focus on harvesting credentials so um they would use the VSS command utility to um get a shadow volume copy and then they would extract the ntds.dit file and they would just exfiltrate it out using their customized implant ntds is is a file that contains active directory information including a lot of credentials as well so that's something that they can extract out of the ntds file and then use their own time to crack those passwords or you know exploit it via past the hash oops sorry and then of course they have the lateral movement um if they are interested in the network they will start performing lateral movement and in order to do that they

will do a ton of active directory reconnaissance the commands here are mostly uh querying uh the system and the active directory to find information about the users and the domain and the computers and stuff like that and then they will use something like impact it or Ps exact to Pivot off and get on another box and you know so on and so forth they will just go on and on and on am I going too fast all right cool perfect um so I'm going to talk about Yama what next um this was seen in intrusion set three remember so basically what we've done up till now is we've talked about intrusion set one and we've talked about a lot of

Hands-On keyboard activity um I don't want to talk about victim 2 yet I want to talk about victim three first of all in victim three we saw the usage of yamabot and it was a very clear match you know the samples that we found um were Yama bought they were attributed to Lazarus by the Japanese cert I think in 2022 as well it's a very typical rat malware family there's nothing very special about it but it consists of a lot of features that you see in a lot of commodity rats out there in the wild it's also golang based so um you know that that gives us an indication that um Lazarus likes to experiment with

different platforms and um and and different Frameworks and that is what brings us to Magic rat all right I'm going to take a moment for you to look at the really cool graphic that my Graphics team made um it looks magical right all right so magic rat um magic rat was first uh created in April 2022 and then subsequently we saw it being deployed a month later uh in May 2022 what was really really interesting about this malware family is that it uses the QT framework do you all know what the QT framework is all right I'm going to tell you what the QD framework is after some time not yet basically what it did was it would take

this framework the software development framework and it would uh statically link that framework into its own binary so there's like an entire framework that's embedded inside an exe file or a dll file and that that makes it like more than a few megabytes to be honest it's like a huge file um magic rat extensively used the QT framework which um you know they used the settings uh and configuration mechanism in the in the QT framework to hold different configurations um the first set of configurations that you see I know it's a little small but it's uh basically a preamble followed by b64 encoded uh C2 URLs um that the rat actually goes out and talks to and then these settings also

and these configurations also store the replies from the command control server and victim identification information and so on and so forth in terms of persistence magic rat is very simple it has the ability to create schedule tasks on the system it also has the ability to create a link file a shortcut file in the startup folder very simple to be honest C2 communication is also very very simple C2 is command control server basically it sends out a beacon and says hey I'm alive I'm going to send you some more information about this box and then you tell me what I need to do after that and that's basically as simple as it gets it's HTTP based um so um it's it's

not really very complicated um the communication in terms of capabilities um it's it's it's a feature Rich rat but it's also very simple it has the ability to download and execute files it can exfiltrate uh data it can self-delete itself it can create a remote shell uh you remember I spoke about about the reverse shells in in V single it's it's very similar it has a very similar capability it also has the capability to switch between command and control servers so the command and control server will send it a new value and say hey you've got to stop talking to me now and you now have to talk to a new server and the rat is going to be like all right cool

I'm gonna I'm just going to switch over Communications and basically that's how it works all right let's talk about the QD framework so the QT framework is advertised as a cross platform framework for creating a variety of applications it's a very popular framework when it comes to creating a graphical user interface based applications uh you know desktop applications um and there's a it's it's extremely extremely popular to be honest um uh how many of you have used uh Ollie debug yeah only debug I think uses the QD framework in some form or the other the advantage that the QT framework brings um to a malware uh I don't I don't want to say that but now I can't find better

words is that uh or or to the developer of a specific application is that it allows the developer to be agnostic of the platform the underlying platform uh for example windows apis or Linux or Mac OS calls and all the developer has to do is understand and figure out how the QT framework works and how to call the qut Frameworks apis instead of calling the platforms apis and that's all they need to do and then that also gives the developer the ability to Port their applications and to Port their code um to different platforms you know they just have to write code once and then they can compile it for Windows Linux Mac OS and so on and so forth this is an

example of the malware of magic rat uh using network calls to communicate with its C2 server and then this is an example of the process creation mechanism that it uses I know I don't understand it either to be honest I'm the one who analyzed it so all right so that brings us to the question why would they use the QT framework are there certain advantages to using the QD framework and I'm not advertising using this in malware by the way all right the very first Advantage that the attackers have is that it makes my life more difficult it makes a researcher analysis way more cumbersome especially if you have an um like an eight megabyte

exe and you have to sift through different lines of code and figure out what is a library and what is user code and then in turn you have to figure out how the apis work and how the structures are structured and stuff like that it's also designed to be highly performant I don't really think the attackers scared about that but they did use the multi-threading implementation to you know have different threads talk to each other QT is also highly portable as I said so we believe that the intention was to create Magic rat and then deploy it have it ready for deployment on Windows Linux and Mac OS wherever the attack is software so far we've only seen a Windows version

of it so um I might be wrong yeah also as Defenders uh we have to ask this question is this an evasion mechanism is the QT framework Innovation mechanism um how many of you have seen the QT framework being used in malware I've never seen it being used in America you've seen it all right so there is also the possibility that the QT framework was included you know magic magic rat was built on the QT framework to evade heuristic detection mechanisms um you know there's always that possibility as well all right so we've spoken about three racks and I promised I wouldn't talk about another act uh but I have to so so far we've talked about we single and

yamabot and Magic rat and there is yet another ad did I tell you that Lazarus loves creating new implants tiger rat is uh yet another implant that we discovered that had infrastructure overlap with magic rat basically we found a C2 server for Magic Rack that also hosted tiger ad um tiger rat is a tried and tested implant it was disclosed by the South Korean government in 2021 um it's a very featured rich in terms of its capabilities it has the ability to screen capture and key log and it has a full-fledged file management module in there it has the ability to create destroy read write execute files and so on and so forth um what's peculiar about tiger Rod is

that in spite of having a full-fledged file management module it also has the ability to look for certain files on the system with certain extensions and send that out to the C2 server and enable that enables it to exfiltrate it and um this is kind of sort of a duplicity of functionality that we've seen in rats authored by Lazarus and I'm going to talk about that in a bit as well um but basically what happens is if you followed um implants created by Lazarus over the past five years or so they love to stitch together different functionalities in their rats and in their malware families so you might not be able to derive a linear evolution in their

malware families you know they tend to take things out put things back and stuff like that and this is an example of that tiger ad was disclosed in 2021 but it was first made in 2020 a bulk of its functionality was introduced in 2020. in 2021 we saw the attackers at the port forwarding capability and then in 2022 they immediately decided to remove it they introduced a new capability that allows the malware to copy over or dump the contents of a removable file and then we also saw indications that they were preparing to add a web capture module in there as well in the malware implant all right how are we doing on time good all right all right this might just

be a short short presentation all right let's summarize everything so what are the key takeaways I basically I've just dumped a ton of information on you and have been like hey this is a campaign these are three intrusion sets this is for malware implants and um you know that's it but I'd like to summarize this a bit and give it more structure so here it is um when we looked at the implants there were certain things that stood out to us there were certain patterns that we saw firstly in this specific campaign we saw implants that were rapidly developed the four different types of implants that were developed with other customized modules and plugins that the attackers

developed on a regular basis that they could Deploy on the infected endpoints we have seen the increasing use of obfuscation and the use of loaders in lazarus's implants over the past three or four years and that that practice has continued well into 2023 as well of course Lazarus also likes to mix and match their capabilities as I said they will stitch together different code and create an implant that suits a specific campaign or a specific intrusion set and then Lazarus is also moving towards a platform agnostic approach um they're basically trying to create one single piece of malware see if it's really effective and then Port it to different platforms and different operating systems as And when they see

fit [Music] now this is something that I haven't spoken about a lot but um they do like to use a lot of readily available tools they will use impact it on a very regular basis they will use mimikats they will use proc dump they will use archive creation tools for data exfiltration and so on and so forth and they will use known tools such as reverse tunnels and proxies and you know the three proxies and the P links and stuff like that to conduct their malicious operations um all right this is probably going to be the last Light yay all right so to summarize Lazarus is bad right now this is a highly highly motivated adversary that is constantly

trying new things they're constantly innovating they will not shy away from the use of exploits so it's not just social engineering they have a very diverse set of implants and arsenals in their Arsenal they like to use a lot of Open Source tools as well and perform a wide variety of Hands-On keyboard activity and so when you look at the slide you know there's this presentation and when you take a look at this um they're very motivated adversary right and one would even say that they're very sophisticated adversary as well um and sometimes we say that they're experts at what they do but sometimes um they're not in this campaign we found multiple instances but I want to talk about two

instances here where they basically made mistakes firstly in the Hands-On keyboard activity they would mistype commands and every time you miss type a command you have to type it in again right so that creates a lot of noise on the system so you know maybe they weren't paying attention maybe they didn't have their coffee or whatever but um sometimes that happened in another instance we also saw that sometimes the operator that had access to a compromise box would type in a command figure out that it's not working disappear for like five minutes and then come back and put in the right command can you guess what they were doing in those five minutes [Music] yes they were Googling

all right and then uh the this is this is my third observation and this is kind of analytical we noticed a specific pattern in their operations and their Hands-On keyboard activity um on some certain endpoints we would see a predefined set of uh commands being being executed day after day after day you know on consecutive days and uh what I figured was um it was probably because there were multiple operators getting access to the same box so you know one operator gets access to to a compromise box today and then that gets transferred to another operator and then that gets transferred to another operator day after day because they had persistent access and uh the reason why they ran the same set

of commands is because they had the same Playbook it was basically a standard operation operating procedures manual sop manual that said at the very beginning when you get access to a compromise box run these commands right so they ran their own set of commands but um they wouldn't compare notes is is what I feel happened because they would repeatedly you know execute the same set of commands so basically one operator doesn't know what the other operator found out uh which again makes it noisy which also shows that there is a certain level of immaturity in their operations as well so there are indications that although we tend to create like cool graphics and we tend to call different

adversaries bears and kittens and um leopards and tigers and pandas um they are human at the end of the day and they do make mistakes and that's what I'm going to leave you with today [Music] um how are we doing on time doing good all right so this is the end of my presentation uh now is the time for any questions feedback uh blessings beer that you might have for me [Music]

um so so one of them was the the repeated use of um the the same set of commands which led me to believe that um you know you've already typed this command you already have this information why would you come back tomorrow and do the same thing again right and and then the day after tomorrow as well right so that that led me to believe that um there were two different distinct human individual operators operating the Box and the biggest thing is they weren't talking to each other you know maybe it was office politics or whatever but they're just not talking to each other so

well there are indications that they've gotten into the supply chain attack game I've heard so um I think this is related to 3cx and X Trader and that's all I can talk about uh to be honest questions

I don't remember to be honest they tend to mix and match their infrastructure as well the very um they're very paranoid about their infrastructure as well and this goes for most of the North Korean apt's nation state groups as soon as you find stuff on a virus total they tend to remove that as soon as they can unless they've had a certain degree of success or you know sometimes they just don't care

foreign

do work on this amazing job thank you thank you he said my work was fantastic

[Applause]

more specifically Define your groups that Lazarus which describes a whole bunch of different actors requirements I can try we're just gonna take an year or so so uh the question is is there any way we can get into more granularity when it comes to talking about Lazarus is that the question okay sure then it's going to take you and yours to do that so so the problem here is that um Lazarus recently the term Lazarus has it's it's it's people are starting to use it to Define an umbrella of threat actors that are associated with North Korea and that creates a problem because sometimes you need a greater detail and attribution and when certain people or

certain researchers like me admittedly don't know who the actual entity is we just call it Lazarus and we get done with it and that dilutes the actual Lazarus um moniker to be honest I get you

trust me they had a lot of systems to practice the the volume and the time period they had enough more than enough time to explore around [Music]

yeah we published research on our blog as well I'm sorry I should have put that in uh right here it's a blog.tallosintelligence.com so that's basically it I apologize for that I should have put something in [Music]

sure so uh firstly what happened was uh when when we got our hands on the samples there were more than a few megabytes eight or nine megabytes um and you know the first question you have to ask yourself is um why is this malware so big right um maybe it's made in golang or maybe it's made in a different framework and then um you know we did our own static analysis and we started to find that you know once you open it up in Ida Pro and you look at the strings uh you slowly start to understand that uh this um this this sub word or this substring QT is being used a lot and then you start

Googling stuff and you eventually stumble upon the fact that oh this is the QT framework and when you start looking at the code that they're calling you know it's I think QD framework is an open source framework so you can have a direct match between the assembly that you're looking at and the code that's uploaded out there that's basically how we discovered it I wish we hadn't but [Music] any more questions going once going twice all right your question

yes all right sold so take backs thank you so much for attending the session you guys are awesome thanks [Applause]