Threat Research

A cascade of compromise: unveiling Lazarus’ new campaign

SecureList

A supply-chain style compromise abused unpatched legitimate security software to deliver SIGNBT and follow-on tools, enabling in-memory execution, persistent side‑loading, and targeted C2 communications. The operator, attributed to Lazarus, used a memory-only loader and LPEClient to profile victims and load additional payloads. #Lazarus #SIGNBT

Keypoints

  • Initial access was achieved by exploiting legitimate, unpatched security software to inject shellcode and launch a Windows executable directly in memory.
  • The SIGNBT loader establishes persistence by dropping ualapi.dll into the system folder (loaded via spoolsv.exe) and by registry-based legitimate binary side‑loading.
  • The loader reads C:Windowssystem32configsystemprofileappdataLocaltw-100a-a00-e14d9.tmp to derive an AES key (first 32 bytes) and decrypt the in-memory SIGNBT payload; configuration is read from a companion tw-100b‑*.tmp file containing base64 data.
  • SIGNBT uses structured C2 prefixes (SIGNBTLG, SIGNBTKE, SIGNBTGC, SIGNBTFI, SIGNBTSR) and a 24-byte identifier + XOR/base64 + randomized HTTP parameter scheme to harden communications and fingerprint victims.
  • The backdoor exposes many command classes (e.g., CCBrush, CCList, CCBitmap) capable of profiling, file operations, process injection, remote execution, and deploying a secondary payload via a “deploy” command.
  • The actor uses SIGNBT to load in-memory follow-on tools such as LPEClient and credential dumpers; LPEClient has evolved to include stealth techniques like disabling user-mode syscall hooks and restoring system library memory sections.

MITRE Techniques

  • [T1189] Drive-by Compromise – used to gain initial access by exploiting legitimate security software: (‘A software vendor was compromised through the exploitation of another high-profile software.’)
  • [T1203] Exploitation for Client Execution – shellcode found inside legitimate process memory launched a Windows executable directly in memory: (‘we discovered the presence of the SIGNBT malware accompanied by a shellcode. This shellcode was responsible for launching a Windows executable file directly in memory.’)
  • [T1547.012] Boot or Logon Autostart Execution: Windows Service – persistence via ualapi.dll placed in system folder and loaded by spoolsv.exe at boot: (‘creation of a file called ualapi.dll in the system folder, which is automatically loaded by the spoolsv.exe process at each system boot.’)
  • [T1574.002] DLL Side‑Loading – registry entries and legitimate files were used to side‑load malicious DLLs for persistence and execution: (‘registry entries were recorded to execute legitimate files for the purpose of malicious side-loading’)
  • [T1140] Deobfuscation/Compression – malware uses AES decryption and base64-encoded configuration to conceal payloads and settings: (‘The loader process retrieves the first 32 bytes … and uses this data as an AES decryption key to decrypt the remaining contents.’ / ‘Inside this file is a base64-encoded string’)
  • [T1027.001] Obfuscated Files or Information: Binary Padding – use of in-memory loaders and encrypted payloads to evade static detection: (‘loaded directly into memory’ and AES encrypted payloads)
  • [T1027.002] Obfuscated Files or Information: Software Packing – use of encoded/packed configuration and payload content (base64 + AES keys) to hide parameters and code: (‘first 32 characters of this string serve as the AES decryption key, while the subsequent data contains configuration information’)
  • [T1620] Reflective Code Loading – payloads executed in memory without touching disk (memory-only execution of SIGNBT and follow-on tools): (‘newly delivered malware variants predominantly execute in the system’s memory only, without touching the disk.’)
  • [T1003.001] OS Credential Dumping: LSASS Memory – actor delivered credential dumping utilities as follow-on, memory-resident tools: (‘the actor has been observed to deliver such tools as LPEClient and credential dumping utilities to the victim machines.’)
  • [T1057] Process Discovery – malware collects process lists and can kill or inject into processes via CCList functions: (‘getProcessList, processKill, runFile, runAsUser, injectDll, freeDll’)
  • [T1082] System Information Discovery – getInfo gathers system and environment details (hostname, OS, uptime, CPU, locale, time zone, network status): (‘gathers various information about the victim’s computer, such as computer name, product name, OS details, system uptime, CPU information, system locale, time zone, network status…’)
  • [T1083] File and Directory Discovery – functionality to list drives and directories (getDriveList, getFileDir) used for reconnaissance: (‘getDriveList, getFileDir, changeFileTime, secDelete…’)
  • [T1113] Screen Capture – remote functions include screen capture to collect visual data: (‘startDownload, upFile, selfMemload, scrCapture’)
  • [T1071.001] Web Protocols – C2 uses HTTP/HTTPS POSTs with custom parameterization and base64 payloads for command and control: (‘The malware begins communicating with the C2 server by sending a beacon… uses distinctive strings that start with SIGNBT.’)
  • [T1132.002] Data Encoding: Standard Encoding (Base64) – base64 used extensively for configuration and C2 payload encoding: (‘Inside this file is a base64-encoded string’ / ‘both the resulting value and the 24-byte key are encoded with base64.’)
  • [T1573.001] Encrypted Channel – AES is used to encrypt/decrypt communicated or stored payload/config data between client and C2: (‘The data received from the C2 server is decrypted using AES with a decryption key obtained from a SIGNBTLG HTTP request.’)
  • [T1041] Exfiltration Over C2 Channel – the backdoor can send collected data and files back to C2 via its HTTP-based channels: (‘After sending this system-specific information, the malware sends another HTTP request…’)

Indicators of Compromise

  • [File hashes] SIGNBT loader and related DLLs – 9cd90dff2d9d56654dbecdcd409e1ef3, 88a96f8730b35c7406d57f23bbba734d, and 3 more hashes
  • [File hash] SIGNBT payload – 9b62352851c9f82157d1d7fcafeb49d3 (identified as the in-memory SIGNBT executable)
  • [File hashes] LPEClient and related files – 3a77b5054c36e6812f07366fb70b007d, E89fa6345d06da32f9c8786b65111928
  • [File paths] Loader and config locations – C:Windowssystem32configsystemprofileappdataLocaltw-100a-a00-e14d9.tmp, C:Windowssystem32configsystemprofileappdataLocaltw-100b-a00-e14d9.tmp
  • [File names / DLLs] Persistence and side-load artifacts – %system%ualapi.dll (persistence via spoolsv.exe), C:GoogleDCodingJSNodewinhttp.dll
  • [C2 domains] Command-and-control endpoints – hxxp://ictm[.]or[.]kr/UPLOAD_file/board/free/edit/index[.]php, hxxp://samwoosystem[.]co[.]kr/board/list/write[.]asp, and ~40 other listed domains/URLs

The attacker exploited unpatched legitimate security software to execute shellcode inside the vendor process and launch a Windows executable in memory. Post‑exploitation activity included writing a loader DLL (ualapi.dll) to the system folder and configuring registry-based side‑loading so spoolsv.exe would automatically load the malicious DLL at boot; the loader also supports side-loading via other legitimate binaries to increase persistence.

The loader reads a temporary file (tw-100a-*.tmp) and uses its first 32 bytes as an AES key to decrypt the remaining payload, which it then loads into memory as the SIGNBT executable. A companion config file (tw-100b-*.tmp) contains a base64-encoded configuration whose first 32 characters become the AES key for configuration decryption; decrypted configuration includes multiple C2 addresses, sleep intervals, monitored targets, and other operational parameters.

SIGNBT performs structured C2 interactions using stage-specific prefixes (SIGNBTLG, SIGNBTKE, SIGNBTGC, SIGNBTFI, SIGNBTSR) and constructs a randomized, encoded 24-byte identifier (fixed 8 bytes + 8 bytes MD5(hostname) + 8 random bytes) XORed with additional random data, base64-encoded and sent using random HTTP parameter names to impede detection. Upon receiving valid C2 responses (validated via a specific HTML/script marker and base64/XOR checks), SIGNBT can run profiling (getInfo), file/process operations, DLL injection, screen capture, and a “deploy” command that implants additional payloads (e.g., phantom DLLs). Those follow-on tools, including LPEClient and credential dumpers, are typically executed in memory only and include advanced stealth techniques such as disabling user-mode syscall hooks and restoring system library sections to avoid detection.

Read more: https://securelist.com/unveiling-lazarus-new-campaign/110888/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint