Hunting Lazarus Group’s TTPs

Introduction

This aims to serve as a repo of procedures attributed to Lazarus Group activity that can immediately be actioned on by threat hunters given the right logs. Along with each TTP is at least one potential way to hunt for the activity.

Let me be clear, you can run all of these hunts, have 0 results, and still be compromised. This is not a checklist. It simply aims to be a resource for how to hunt given Techniques by showcasing the Procedures.

I make no claims of attribution. The way this information was compiled was by studying all of the references to Lazarus Group listed in the MITRE Groups page (found here).

If I have made a mistake, feel free to DM me on Twitter @_montysecurity.

TTPs & Hunts

Initial Access — T1566.001 — Word Documents

• Procedure: Phishing via DOCX files
• Notes: they have also been suspected of using T1221 — Template Injection which is discussed later on in this report.
• Reference: McAfee, LOLBAS
• Potential Hunt: Sub-processes of winword.exe
• Potential Hunt: winword.exe spawning LOLBAS

Lazarus Group Initial Access Procedure — McAfee

Initial Access — T1566.001 — RAR Archives

• Procedure: LNK files within RAR archives
• Notes: They were seen using LNK files (delivered via a RAR archive). These LNK files executed a payload and then opened a browser to a decoy PDF.
• Reference: ESET
• Potential Hunt: any browser (e.g. chrome.exe, firefox.exe, etc.) with a command line parameter containing “.pdf” (indicating it opened up to the PDF directly)
• Potential Hunt: explorer.exe launching cmd.exe with “mkdir” or “copy” in the process command line
• Potential Hunt: cmd.exe spawning schtasks.exe or at.exe

Lazarus Initial Access Procedure — ESET

Execution — T1053.005 — Scheduled Tasks

• Procedure: Scheduled tasks executing remote payload via wmic.exe
• Notes: According to a graphic provided by ESET, scheduled tasks launch wmic.exe to interpret a remote XSL file but earlier in the report wmic.exe is renamed and moved (that is why the hunting logic does not use wmic.exe). According to Nasreddine Bencherchali’s blog post, there are multiple potential binaries that can handle scheduled tasks; according to the Threat Hunting Team’s blog post, wmic.exe can directly call remote files.
• References: ESET, Nasreddine Bencherchali’s blog post, Threat Hunting Team’s blog post
• Potential Hunt: svchost.exe with “Schedule” in the command line spawning any child process with “http” or “https” in the child command line
• Potential Hunt: taskhostw.exe or taskeng.exe spawning any child process with “http” or “https” in the child command line

Lazarus Execution/Persistence via Scheduled Tasks — ESET

Defense Evasion — T1218 — PowerShdll

• Procedure: executing PowerShell via DLL
• Notes: ESET mentions PowerShdll being used, hunting opportunity sourced from PowerShdll README.md (“main” is the default entry point listed in the docs and I suggest hunting for “[“ to catch PowerShell classes)
• References: ESET, PowerShdll
• Potential Hunt: rundll32.exe, installutil.exe, regsvcs.exe, regasm.exe, or regsvr32.exe spawning with “main” and “[“ in the command line

Defense Evasion — T1140 — certutil.exe

• Procedure: certutil.exe to decode payloads
• Notes: ESET states “use of certutil to decode base64-encoded downloaded payloads”
• Reference: ESET
• Potential Hunt: certutil.exe with “decode” in the process command line

Defense Evasion — T1218 — rundll32.exe and regsvr32.exe

• Procedure: rundll32.exe and regsvr32.exe being used to execute malware
• Notes: ESET only specifically mentions rundll32.exe and regsvr32.exe being used to execute malware (section 2.3.2) but I added all LOLBAS binaries I found that appear to be capable to executing DLLs.
• References: ESET, LOLBAS
• Potential Hunt: all instances of the following processes executing DLLs; rundll32.exe, regsvr32.exe, regsvcs.exe, regasm.exe, certoc.exe, dnscmd.exe, installutil.exe, mavinject32.exe, msiexec.exe, netsh.exe, pcalua.exe, rasautou.exe, register-cimprovider.exe, acccheckconsole.exe, coregen.exe, dotnet.exe, procdump.exe, tracker.exe, vsls-agent.exe, wuauclt.exe
• Potential Hunt: Rare parents of the same binaries listed above
• Potential Hunt: Rare parents of cmd.exe and powershell.exe processes that spawn the binaries listed above

Defense Evasion — T1221 — Template Injection

• Procedure: DOCX files with remote templates
• Notes: McAffee notes that the XML for the initial phishing documents were modified to retrieve a Microsoft Office Template (.dotm) from a remote server. The template then contains the malicious macro. Word can be seen generating a network connection when it retrieves the templates. ired.team has a good post on how this works.
• Reference: McAfee, see first image above; ired.team blog
• Potential Hunt: windword.exe downloading files

Defense Evasion — T1127 — VS Code

• Procedure: Build instructions in VS code projects being used to launch malicious powershell.exe scripts.
• Note: Google TAG does not make any claim that this was Lazarus Group however this reference was used in the MITRE page so adding here.
• Reference: Google TAG
• Potential Hunt: code.exe spawning powershell.exe

Lateral Movement — T1570 — wmic.exe

• Procedure: using wmic.exe (sometimes with the binary being renamed) to execute code on other machines
• Reference: Securelist
• Notes: Looking for process command lines with “/node:” catches some wmic.exe activity pertaining to creating processes on other machines without relying on wmic.exe being the executable name as Lazarus has been seen renaming the binary.
• Potential Hunt: Any process command line containing “/node:” and “PROCESS CALL CREATE”

Persistence — T1037.005 — LNK in Startup

• Procedure: Puts a LNK file in startup that calls a binary in %TEMP%, disguised as Google Update.
• Reference: McAfee
• Notes: In my experience, using an LNK in the startup folder means that when this executes the process tree will be userinit.exe → explorer.exe → binary_that_the_lnk_points_to (See Appendix)
• Potential Hunt: All processes with a parent of explorer.exe and grand-parent of userinit.exe
• Potential Hunt: explorer.exe spawning a binary located in any folder path containing “Temp” or “Tmp”
• Potential Hunt: explorer.exe spawning cmd.exe or powershell.exe which spawns another binary located in any folder path containing “Temp” or “Tmp”

Appendix

Persistence — T1037.005 — LNK in Startup

I tested this in my lab by putting an LNK file in the startup folder. This LNK file was cmd.exe launching powershell.exe and when I rebooted the lab the resulting process tree was explorer.exe → cmd.exe → powershell.exe. The same thing is seen by clicking on the LNK file

Testing LNK in Startup in the Lab