Threat Research

APT PROFILE – LAZARUS GROUP

Cyfirma
APT PROFILE – LAZARUS GROUP

The Lazarus Group is a long-running, state-sponsored North Korean APT that conducts both espionage and large-scale financially motivated attacks, notably targeting cryptocurrency platforms, regional software, and supply chains. Recent campaigns include the Bybit $1.5B heist, Operation SyncHole watering‑hole infections using ThreatNeedle, and supply‑chain “Phantom Circuit” code‑injection attacks. #ThreatNeedle #Bybit

Keypoints

  • Lazarus is a North Korean state‑sponsored APT active since at least 2009 with both espionage and financial motivations.
  • The group uses a vast alias set (e.g., Hidden Cobra, APT38, Bluenoroff) and targets organizations worldwide across many industries.
  • Recent high‑profile operations include the Bybit exchange heist (~$1.5B), Operation SyncHole (watering‑hole / ThreatNeedle), and Phantom Circuit (supply‑chain code insertion).
  • Lazarus exploits regionally popular software and known CVEs such as CVE-2021-44228, CVE-2023-4966, and CVE-2023-22518 for initial access.
  • The actor maintains a large, evolving malware/toolset (examples: AppleJeus, MATA, RATANKBA, Destover, ThreatNeedle, JuicyPotato) and employs obfuscation and anti‑analysis techniques.
  • Tactics emphasize supply‑chain compromise, credential and account abuse, spearphishing, remote services for lateral movement, and cryptocurrency theft.
  • Impacts include large financial thefts, data exfiltration, and destructive actions such as disk wiping and service disruption.

MITRE Techniques

  • [T1591.004 ] Gather Victim Org Information:Identify Roles – Used during reconnaissance to map target organizations for tailored attacks.
  • [T1593.001 ] Search Open Websites/Domains:Social Media – Actors gather information from social media to profile victims.
  • [T1589.002 ] Gather Victim Identity Information:Email Addresses – Collected emails for phishing and credential targeting.
  • [T1584.004 ] Compromise Infrastructure:Server – Compromise of servers to host tools and malware.
  • [T1588.002 ] Obtain Capabilities:Tool – Acquisition and reuse/development of tools like ThreatNeedle and AppleJeus.
  • [T1584.001 ] Compromise Infrastructure:Domains – Use of compromised domains for hosting and C2.
  • [T1588.003 ] Obtain Capabilities:Code Signing Certificates – Use or theft of certificates to sign payloads and evade detection.
  • [T1588.004 ] Obtain Capabilities:Digital Certificates – Similar use of digital certificates for trust abuse.
  • [T1585.002 ] Establish Accounts:Email Accounts – Creation of email accounts for phishing and infrastructure control.
  • [T1583.006 ] Acquire Infrastructure:Web Services – Leveraging web services for staging and C2.
  • [T1608.001 ] Stage Capabilities:Upload Malware – Uploading malware to compromised infrastructure for distribution.
  • [T1583.004 ] Acquire Infrastructure: Server – Acquiring servers to host malicious resources.
  • [T1608.002 ] Stage Capabilities:Upload Tool – Staging tools on infrastructure prior to use.
  • [T1587.001 ] Develop Capabilities:Malware – Continuous development of new malware families (e.g., ThreatNeedle, Vyveva).
  • [T1583.001 ] Acquire Infrastructure:Domains – Registering/acquiring domains for operational use.
  • [T1585.001 ] Establish Accounts:Social Media Accounts – Creating social accounts to support reconnaissance and lures.
  • [T1566.003 ] Phishing:Spearphishing via Service – Spearphishing via trusted services used for initial access.
  • [T1189 ] Drive-by Compromise – Watering‑hole attacks (Operation SyncHole) to infect visitors.
  • [T1078 ] Valid Accounts – Use of valid credentials for access and persistence.
  • [T1566.001 ] Phishing:Spearphishing Attachment – Spearphishing attachments used to deliver malware.
  • [T1566.002 ] Phishing:Spearphishing Link – Malicious links in phishing used to trick users.
  • [T1203 ] Exploitation for Client Execution – Exploiting vulnerabilities like CVE-2021-44228 to execute code.
  • [T1047 ] Windows Management Instrumentation – Use of WMI for execution and management.
  • [T1059.003 ] Command and Scripting Interpreter:Windows Command Shell – Command shell used for execution.
  • [T1053.005 ] Scheduled Task/Job:Scheduled Task – Scheduled tasks for persistence and execution.
  • [T1204.001 ] User Execution:Malicious Link – User‑clicked links initiating malicious activity.
  • [T1204.002 ] User Execution:Malicious File – Malicious files delivered to users for execution.
  • [T1059.005 ] Command and Scripting Interpreter:Visual Basic – Use of VBScript for execution.
  • [T1106 ] Native API – Use of native APIs for functionality and evasion.
  • [T1059.001 ] Command and Scripting Interpreter:PowerShell – PowerShell used for execution and tooling.
  • [T1542.003 ] Pre-OS Boot:Bootkit – Use of bootkits for pre‑OS persistence.
  • [T1543.003 ] Create or Modify System Process:Windows Service – Creation/modification of services for persistence.
  • [T1547.009 ] Boot or Logon Autostart Execution:Shortcut Modification – Shortcut modifications for autostart persistence.
  • [T1098 ] Account Manipulation – Manipulating accounts to maintain access.
  • [T1574.002 ] Hijack Execution Flow:DLL Side-Loading – DLL side‑loading to hijack execution.
  • [T1547.001 ] Boot or Logon AutoStart Execution:Registry Run Keys / Startup Folder – Registry run keys used for startup persistence.
  • [T1574.013 ] Hijack Execution Flow:KernelCallbackTable – Kernel callback table hijacking for persistence/evasion.
  • [T1134.002 ] Access Token Manipulation:Create Process with Token – Token manipulation for privilege escalation or lateral movement.
  • [T1055.001 ] Process Injection:Dynamic-link Library Injection – DLL injection for stealthy code execution.
  • [T1036 ] Masquerading – Renaming/misleading resources to appear legitimate.
  • [T1497.001 ] Virtualization/Sandbox Evasion:System Checks – Anti-sandbox/system checks to evade analysis.
  • [T1564.001 ] Hide Artifacts:Hidden Files and Directories – Hiding files and directories to avoid detection.
  • [T1027.007 ] Obfuscated Files or Information:Dynamic API Resolution – Dynamic API resolution to obscure behavior.
  • [T1218 ] System Binary Proxy Execution – Using signed system binaries (e.g., mshta, rundll32, regsvr32) to execute payloads.
  • [T1218.005 ] System Binary Proxy Execution:Mshta – Mshta used as an execution proxy.
  • [T1218.011 ] System Binary Proxy Execution:Rundll32 – Rundll32 used to load malicious DLLs.
  • [T1218.010 ] System Binary Proxy Execution:Regsvr32 – Regsvr32 leveraged to run scripts/COM objects.
  • [T1070 ] Indicator Removal – Deleting artifacts and command history to evade detection.
  • [T1620 ] Reflective Code Loading – Reflective loading to execute code in memory.
  • [T1027 ] Obfuscated Files or Information – Use of obfuscation and packing to hinder analysis.
  • [T1562.001 ] Impair Defenses:Disable or Modify Tools – Disabling security tools to avoid detection.
  • [T1220 ] XSL Script Processing – Use of XSL processing as an execution/vector technique.
  • [T1221 ] Template Injection – Template injection techniques for code execution or obfuscation.
  • [T1562.004 ] Impair Defenses:Disable or Modify System Firewall – Modifying firewall settings to facilitate operations.
  • [T1036.005 ] Masquerading:Match Legitimate Resource Name or Location – Mimicking legitimate names/locations for deception.
  • [T1027.002 ] Obfuscated Files or Information:Software Packing – Packing binaries to hide malicious content.
  • [T1553.002 ] Subvert Trust Controls:Code Signing – Abusing code signing to appear legitimate.
  • [T1036.003 ] Masquerading:Rename Legitimate Utilities – Renaming utilities to blend in.
  • [T1036.004 ] Masquerading:Masquerade Task or Service – Masquerading scheduled tasks or services.
  • [T1140 ] Deobfuscate/Decode Files or Information – Deobfuscation during execution to reveal payloads.
  • [T1070.004 ] Indicator Removal:File Deletion – Deleting files to remove evidence.
  • [T1070.003 ] Indicator Removal:Clear Command History – Clearing command history to hinder investigation.
  • [T1070.006 ] Indicator Removal:Timestomp – Timestomping files to alter timestamps.
  • [T1055.001 ] Process Injection: Dynamic-link Library Injection – DLL injection reiterated for stealthy execution.
  • [T1110.003 ] Brute Force:Password Spraying – Password spraying used to gain access.
  • [T1110 ] Brute Force – General brute force techniques for credential compromise.
  • [T1557.001 ] Adversary-in-the-Middle:LLMNR/NBT-NS Poisoning and SMB Relay – LLMNR/NBT-NS poisoning for credential capture and relay.
  • [T1056.001 ] Input Capture:Keylogging – Keylogging to capture credentials and data.
  • [T1049 ] System Network Connections Discovery – Discovery of network connections for lateral movement.
  • [T1016 ] System Network Configuration Discovery – Mapping network configuration details.
  • [T1057 ] Process Discovery – Enumerating processes to identify targets or defenders.
  • [T1046 ] Network Service Discovery – Discovering network services to identify exploitable resources.
  • [T1124 ] System Time Discovery – Time discovery to adapt behavior to locale/time checks.
  • [T1033 ] System Owner/User Discovery – Identifying system owners/users for targeting.
  • [T1012 ] Query Registry – Querying registry for configuration and persistence artifacts.
  • [T1010 ] Application Window Discovery – Enumerating application windows for targeted actions.
  • [T1614.001 ] System Location Discovery:System Language Discovery – Checking system language to tailor payloads and avoid detection.
  • [T1087.002 ] Account Discovery:Domain Account – Discovering domain accounts for lateral movement and privilege escalation.
  • [T1082 ] System Information Discovery – Collecting system details for profiling.
  • [T1083 ] File and Directory Discovery – Searching files and directories for sensitive data.
  • [T1021.004 ] Remote Services:SSH – Using SSH for lateral movement between systems.
  • [T1021.002 ] Remote Services:SMB/Windows Admin Shares – SMB used for lateral file movement and remote execution.
  • [T1021.001 ] Remote Services:Remote Desktop Protocol – RDP leveraged for interactive access.
  • [T1534 ] Internal Spearphishing – Internal spearphishing to move laterally and escalate access.
  • [T1005 ] Data from Local System – Collecting local files and data for exfiltration.
  • [T1074.001 ] Data Staged:Local Data Staging – Staging data locally prior to exfiltration.
  • [T1560 ] Archive Collected Data – Archiving collected data for transfer.
  • [T1560.002 ] Archive Collected Data:Archive via Library – Using libraries to compress/archive data.
  • [T1560.003 ] Archive Collected Data:Archive via Custom Method – Custom archiving methods used.
  • [T1056.001 ] Input Capture:Keylogging – Keylogging reiterated for credential/data capture.
  • [T1573.00 ] Encrypted Channel:Asymmetric Cryptography – Encrypted C2 channels using asymmetric cryptography.
  • [T1001.003 ] Data Obfuscation: Protocol or Service Impersonation – Impersonating protocols/services to obfuscate C2 traffic.
  • [T1104 ] Multi-Stage Channels – Multi-stage channels for modular C2 and payload delivery.
  • [T1071.001 ] Application Layer Protocol:Web Protocols – Web protocols used for C2 and exfiltration.
  • [T1102.002 ] Web Service: Bidirectional Communication – Using web services for bidirectional C2 communication.
  • [T1571 ] Non-Standard Port – Use of non-standard ports to evade detection or filtering.
  • [T1132.001 ] Data Encoding:Standard Encoding – Encoding data for transport or obfuscation.
  • [T1090.002 ] Proxy:External Proxy – Use of external proxies to relay traffic.
  • [T1090.001 ] Proxy:Internal Proxy – Internal proxying to obscure origins.
  • [T1008 ] Fallback Channels – Use of fallback channels when primary C2 is disrupted.
  • [T1105 ] Ingress Tool Transfer – Transferring tools and payloads into target environments.
  • [T1048.003 ] Exfiltration Over Alternative Protocol:Exfiltration Over Unencrypted Non-C2 Protocol – Using alternative non-C2 protocols for exfiltration.
  • [T1567.002 ] Exfiltration Over Web Service:Exfiltration to Cloud Storage – Exfiltrating data to cloud storage services.
  • [T1041 ] Exfiltration Over C2 Channel – Exfiltrating via established C2 channels.
  • [T1561.002 ] Disk Wipe:Disk Structure Wipe – Disk structure wiping as destructive impact.
  • [T1489 ] Service Stop – Stopping services to disrupt operations as part of impact.
  • [T1561.001 ] Disk Wipe:Disk Content Wipe – Wiping disk contents to destroy data.
  • [T1485 ] Data Destruction – Data destruction operations used to harm victims.
  • [T1529 ] System Shutdown/Reboot – Forcing shutdowns/reboots as an impact technique.
  • [T1491.001 ] Defacement:Internal Defacement – Internal defacement used to signal or disrupt post-compromise.

Indicators of Compromise

  • [Malware/Tool Names ] Tools and malware observed – ThreatNeedle, AppleJeus, RATANKBA, Destover, JuicyPotato, and many others (full list in article).
  • [Vulnerabilities ] Recently exploited CVEs – CVE-2021-44228, CVE-2023-4966, CVE-2023-22518.
  • [Campaign/Operation Names ] Notable campaigns – Bybit heist (associated with Lazarus), Operation SyncHole, Phantom Circuit.
  • [Aliases ] Actor identifiers used in reports – Lazarus, Hidden Cobra, APT38, Bluenoroff, and multiple other aliases.
  • [Targeted Sectors/Countries ] Targets and geographies – Cryptocurrency exchanges (Bybit), South Korean software users, and countries including South Korea, United States, Japan, India, Brazil (and many more).


Read more: https://www.cyfirma.com/research/apt-profile-lazarus-group/