The article details anti-forensic techniques used by the Lazarus group, focusing on data hiding, artifact wiping, and trail obfuscation to conceal malicious activity and hinder analysis. It outlines how these techniques are implemented, provides examples, and lists related detections and IOCs. #LazarusGroup #LazarusLoader #Lazardoor #LazarShell #APT28 #APT29 #APT32 #Chimera #Kimsuky #Rocke #TEMP.Veles #AhnLabASEC #DapowSyncProvider
Keypoints
- The Lazarus group’s anti-forensic activity has been observed across Korean defense, satellites, software, and media sectors, tracked by AhnLab ASEC.
- Anti-forensic techniques are categorized into data hiding, artifact wiping, and trail obfuscation, with Lazarus using three of these five categories.
- Data hiding includes encrypting and segmenting malware (loader, encrypted PE, encrypted config) to conceal C2 communications.
- System-folder hiding and masquerading as normal files (e.g., in C:ProgramData and C:WindowsSystem32) are used to blend malware with legitimate system content.
- Artifact wiping involves permanently deleting files and artifacts, overwriting data, and deleting prefetch logs to remove execution traces.
- Trail obfuscation centers on timestamp manipulation (timestomping) to defeat timeline analysis and hide backdoors; timestamps may be copied from legitimate system files.
- MITRE-style timestomping is used by Lazarus and is also observed in other APT groups (e.g., APT28, APT29, APT32, Chimera, Kimsuky, Rocke, TEMP.Veles).
MITRE Techniques
- [T1027] Obfuscated/Compressed Files and Information – The loader decrypts encrypted PE files and loads them into memory. Quote: ‘The Lazarus group transmits the configuration file that has the C2 information and the PE file that communicates with the C2 in encrypted forms to evade detection by security products.’
- [T1036] Masquerading – The malware is hidden by creating similar folders or disguising as a normal file inside system folders (e.g., C:ProgramData…). Quote: ‘The malware is hidden by either creating a similar folder within the system or by disguising the malware as a similar file inside the default folder.’
- [T1070.004] File Deletion – Artifact wiping includes deleting malware and overwriting data before deletion, plus deleting related artifacts like prefetch files. Quote: ‘The Lazarus group deleted the malware and the artifacts that occurred while the malicious behavior was being performed. In the malware’s case, its data was overwritten and its filename was changed before being deleted.’
- [T1070.006] Timestomp – Timestamp changes are used to hide the backdoor and hinder timeline analysis. Quote: ‘the Lazarus group modifies the malware creation timestamp information to hide the backdoor.’
Indicators of Compromise
- [File MD5] context – B3E03A41CED8C8BAA56B8B78F1D55C22, 1E7D604FADD7D481DFADB66B9313865D, and 2 more hashes
- [File Name] context – Trojan/Win.LazarShell (2021.11.30), Trojan/BIN.Encoded (2021.12.15), and 20 more file names
Read more: https://asec.ahnlab.com/en/48223/