Threat Research

A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique – ASEC BLOG

Securonix

The Lazarus threat actor exploited a watering hole to infiltrate target systems and then leveraged a vulnerability in MagicLine4NX to reach internal networks. They used BYOVD and a rootkit to disable anti-malware, then established internal access via RDP and SSH with multiple malware payloads and indicators. #Lazarus #MagicLine4NX #BYOVD

Keypoints

  • The Lazarus group employed a watering hole technique to target specific organizations by compromising a Korean website and delivering malware when accessed from certain IPs.
  • Malware was downloaded from a distribution site (SCSKAppLink.dll) and executed via a vulnerable INISAFECrossWebEXSvc.exe, highlighting the need for patched INISAFECrossWebEX software.
  • The attackers exploited MagicLine4NX vulnerabilities (CVE-2021-26606) to inject malicious code and gain access to internal systems.
  • Malicious activity included injecting a thread into ftp.exe and leveraging MagicLine4NX’s protocol calls to pivot within the network.
  • WMI was used to call MagicLine4NX from a remote system, indicating remote execution and lateral movement techniques.
  • RDP and SSH were used to access internal systems, followed by backdoor creation, rootkit deployment, and drivers to disable security software.

MITRE Techniques

  • [T1189] Drive-by Compromise – Watering hole infiltration used to target specific organizations; “The attacker uses the watering hole method to infiltrate the target system.”
  • [T1190] Exploit Public-Facing Application – CVE-2021-26606 in MagicLine4NX used to gain internal access; “The attacker uses the vulnerability of MagicLine4NX to gain access to the internal system.”
  • [T1055] Process Injection – Injects a malicious thread into ftp.exe; “injects a malicious thread into ftp.exe.”
  • [T1047] Windows Management Instrumentation – Uses WMI to call MagicLine4NX from a remote system; “Lazarus group uses WMI to call MagicLine4NX from a remote system.”
  • [T1021.004] Remote Services: SSH – Attempts to log in to SSH servers with a root account; “The attacker also attempts to log in to the SSH server of systems in the internal network with a root account.”
  • [T1076] Remote Desktop Protocol – Uses RDP to access the internal system; “The attacker also uses RDP to access the internal system.”
  • [T1068] Exploitation for Privilege Escalation – BYOVD to disable security tools and enable escalation; “BYOVD (Bring Your Own Vulnerable Driver)… it can disable all monitoring programs in the system, including security software.”
  • [T1562.001] Impair Defenses: Disable Security Tools – Rootkit and vulnerable drivers to disable anti-malware; “disable security software.”
  • [T1543.003] Create/Modify System Process – Rootkit creates a service to maintain control; “registers them as a service.”
  • [T1105] Ingress Tool Transfer – SCSKAppLink.dll downloaded from distribution site and executed; “the Lazarus malware (SCSKAppLink.dll) is downloaded from the malware distribution website and executed via the INISAFECrossWebEXSvc.exe vulnerability.”

Indicators of Compromise

  • [Domain] – strivemktsupporters[.]com and related domain; “hxxps://strivemktsupporters[.]com”
  • [IP] – 3.39.208.187, 222.118.225.33 (C2 or hosting related)
  • [File MD5] – 8F39A7AFA14541B709FE950D06186944, CA6C08B58A35D7FA581DFB419CE5B881, and 14 more hashes
  • [File] – SCSKAppLink.dll, ftp.exe, rootkit file, and vulnerable DLL/driver files referenced for service installation

Read more: https://asec.ahnlab.com/en/40830/