North Korean threat groups under the Reconnaissance General Bureau (RGB) wield a diverse malware arsenal for espionage, financial crime, and destructive actions across Windows, macOS, and Linux, with Lazarus commonly used as an umbrella label for these actors. The post also discusses how Palo Alto Networks Cortex XDR mitigates these threats and reviews 10 malware families linked to RGB operations. #Lazarus #RGB
Keypoints
- Lazarus is an umbrella term for North Korean threat actors under the RGB.
- At least six distinct RGB groups have been identified, each with its own malware.
- RGB groups conduct espionage, asset recruitment, destructive attacks, and financial crime across multiple industries and regions.
- The article reviews 10 malware families observed in recent RGB-linked campaigns across Windows, macOS, and Linux.
- Palo Alto Networks Cortex XDR provides multi-layer defense against these threats, supported by WildFire, URL Filtering, DNS Security, and CSA integrations.
- North Korean threat activity dates back to at least 2007 and has evolved with overlapping tactics, techniques, and tools.
- Organizations are urged to adopt comprehensive, multi-layer security strategies to mitigate these state-sponsored threats.
MITRE Techniques
- [T1071.001] Web Protocols – CollectionRAT uses HTTP to contact its C2; “Communicates with its C2 server over HTTP.” It also fingerprint environment and exfiltrates data.
- [T1071.001] Web Protocols – Comebacker uses HTTP POST for C2; “Communicates with its command and control (C2) server via HTTP POST requests.” It also exchanges keys and reports local time.
- [T1203] Exploitation for Client Execution – OdicLoader masquerades as a PDF to deceive users; “Masquerades as a PDF file to deceive users.” It “downloads and executes the next stage payload upon execution.”
- [T1071.001] Web Protocols – POOLRAT first reported as part of an AppleJeus attack; “First reported as part of an AppleJeus attack.” It targets macOS and Linux environments.
- [T1071.001] Web Protocols – PondRAT is a Remote Administration Tool (RAT) with macOS/Linux variants; “Remote Administration Tool (RAT) with variants for macOS and Linux.”
- [T1620] Reflective Loading – KANDYKORN loads into memory via reflective loading; “loads it into memory by using reflective loading.”
- [T1036] Masquerading – HLOADER masquerades as Discord by replacing the legitimate app and renaming itself; “masquerade as … Discord by replacing the legitimate application and renaming itself Discord.”
- [T1543.003] Create or Modify System Process: Launch Agent – SUGARLOADER uses a LaunchAgent for persistence; “persistence via a LaunchAgent.”
Indicators of Compromise
- [SHA256 hashes] RustBucket – c9a7b42c7b29ca948160f95f017e9e9ae781f3b981ecf6edbac943e52c63ffc8, c7f4aa77be7f7afe9d0665d3e705dbf7794bc479bb9c44488c7bf4169f8d14fe
- [SHA256 hashes] HLOADER – 2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1, 689cfaa9319f3f7529a31472ecf6b2e0ca6891b736de009e0b6c2ebac958cc94
- [SHA256 hashes] KANDYKORN – 927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6
- [SHA256 hashes] SmoothOperator – e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec
- [SHA256 hashes] libffmpeg.dylib – a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67, 479038eb12ed07893ee0dcc04fbdcf182489bbb271f5a4f90f83874881a80ce3
- [SHA256 hashes] UpdateAgent – 6c121f2b2efa6592c2c22b29218157ec9e63f385e7a1d7425857d603ddef8c59
- [SHA256 hashes] OdicLoader – c83c7b000a955f2b8cb92bb112ed606ffd9fbebbe3422f80d90d06b167f2f37b, 492a643bd1efdaca4ca125ade1b606e7bbf00e995ac9115ac84d1c4c59cb66dd
- [SHA256 hashes] Comebacker – 63fb47c3b4693409ebadf8a5179141af5cf45a46d1e98e5f763ca0d7d64fb17c
- [SHA256 hashes] CollectionRAT – db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984, d8565d58ad8e4f5558b5cd70df0ad12be9cf44e32ad07aaac6f65b816edbf414
- [IP addresses] – 23.254.226[.]90
- [Domains] msstorageazure[.]com, officestoragebox[.]com
- [URLs] www.talesseries[.]com/write.php, rgedist[.]com/sfxl.php
- [Domains] – Contortonset[.]com, reliesudden[.]com, primerosauxiliosperu[.]com
Read more: https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/