Amazon-themed campaigns of Lazarus in the Netherlands and Belgium

MITRE Techniques

• [T1106] Native API – The Lazarus HTTP(S) backdoor uses the Windows API to create new processes. “The Lazarus HTTP(S) backdoor uses the Windows API to create new processes.”
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – HTTP(S) backdoor malware uses cmd.exe to execute command-line tools. “HTTP(S) backdoor malware uses cmd.exe to execute command-line tools.”
• [T1140] Deobfuscate/Decode Files or Information – Many of the Lazarus tools are stored in an encrypted state on the file system. “Many of the Lazarus tools are stored in an encrypted state on the file system.”
• [T1070.006] Indicator Removal on Host: Timestomp – The Lazarus HTTP(S) backdoor can modify the file time attributes of a selected file. “The Lazarus HTTP(S) backdoor can modify the file time attributes of a selected file.”
• [T1574.002] Hijack Execution Flow: DLL Side-Loading – Many of the Lazarus droppers and loaders use a legitimate program for their loading. “Many of the Lazarus droppers and loaders use a legitimate program for their loading.”
• [T1014] Rootkit – The user-to-kernel module of Lazarus can turn off monitoring features of the OS. “The user-to-kernel module of Lazarus can turn off monitoring features of the OS.”
• [T1027.002] Obfuscated Files or Information: Software Packing – Lazarus uses Themida and VMProtect to obfuscate their binaries. “Lazarus uses Themida and VMProtect to obfuscate their binaries.”
• [T1218.011] System Binary Proxy Execution: Rundll32 – Lazarus uses rundll32.exe to execute its malicious DLLs. “Lazarus uses rundll32.exe to execute its malicious DLLs.”
• [T1071.001] Application Layer Protocol: Web Protocols – The Lazarus HTTP(S) backdoor uses HTTP and HTTPS to communicate with its C&C servers. “The Lazarus HTTP(S) backdoor uses HTTP and HTTPS to communicate with its C&C servers.”
• [T1573.001] Encrypted Channel: Symmetric Cryptography – The Lazarus HTTP(S) backdoor encrypts C&C traffic using the AES-128 algorithm. “The Lazarus HTTP(S) backdoor encrypts C&C traffic using the AES-128 algorithm.”
• [T1132.001] Data Encoding: Standard Encoding – The Lazarus payloads encode C&C traffic using the base64 algorithm. “The Lazarus payloads encode C&C traffic using the base64 algorithm.”
• [T1560.002] Archive Collected Data: Archive via Library – The Lazarus HTTP(S) uploader can zip files of interest and upload them to its C&C. “The Lazarus HTTP(S) uploader can zip files of interest and upload them to its C&C.”
• [T1584.004] Acquire Infrastructure: Server – Compromised servers were used by all the Lazarus HTTP(S) backdoor, uploader, and downloader as a C&C. “Compromised servers were used by all the Lazarus HTTP(S) backdoor, uploader, and downloader as a C&C.”
• [T1587.001] Malware – Custom tools from the attack are likely developed by the attackers. “Custom tools from the attack are likely developed by the attackers.”
• [T1204.002] User Execution: Malicious File – The target was lured to open a malicious Word document. “The target was lured to open a malicious Word document.”
• [T1566.003] Phishing: Spearphishing via Service – The target was contacted via LinkedIn Messaging. “The target was contacted via LinkedIn Messaging.”
• [T1566.001] Phishing: Spearphishing Attachment – The target received a malicious attachment. “The target received a malicious attachment.”
• [T1547.006] Boot or Logon Autostart Execution: Kernel Modules and Extensions – The BYOVD DBUtils_2_3.sys was installed to start via the Boot loader. “The BYOVD DBUtils_2_3.sys was installed to start via the Boot loader.”
• [T1547.001] Boot or Logon Autostart Execution: Startup Folder – The dropper of the HTTP(S) downloader creates a LNK file OneNoteTray.LNK in the Startup folder. “The dropper of the HTTP(S) downloader creates a LNK file OneNoteTray.LNK in the Startup folder.”