Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
The Lazarus cybercrime group uses traditional APT techniques to spread VHD ransomware
#1
https://www.kaspersky.com/blog/lazarus-v...are/36559/          Lazarus experiments with new ransomware

The Lazarus cybercrime group uses traditional APT techniques to spread VHD ransomware.

    Nikolay Pankov

    July 28, 2020        The Lazarus group has always stood out for using methods typical of APT attacks but specializing in financial cybercrime. Recently, our experts detected fresh, previously unexplored VHD malware, which Lazarus seems to be experimenting with.

Functionally, VHD is a fairly standard ransomware tool. It creeps through the drives connected to a victim’s computer, encrypts files, and deletes all System Volume Information folders (thereby sabotaging System Restore attempts in Windows). What’s more, it can suspend processes that could potentially protect important files from modification (such as Microsoft Exchange or SQL Server).

But what’s really interesting is how VHD gets onto target computers, because its delivery mechanisms have more in common with APT attacks. Our experts recently investigated a couple of VHD cases, analyzing the attackers’ actions in each.
Lateral movement through the victim’s network

In the first incident, our experts’ attention was drawn to the malicious code responsible for spreading VHD over the target network. It turned out that the ransomware had at its disposal lists of IP addresses of the victim’s computers, as well as credentials for accounts with admin rights. It used that data for brute-force attacks on the SMB service. If the malware managed to connect using the SMB protocol to the network folder of another computer, it copied and executed itself, encrypting that machine also.

Such behavior is not very typical of mass ransomware. It suggests at least a preliminary reconnaissance of the victim’s infrastructure, which is more characteristic of APT campaigns.
Chain of infection

The next time our Global Emergency Response Team encountered this ransomware during an investigation, the researchers were able to trace the entire infection chain. As they reported, the cybercriminals:

    Gained access to victims’ systems by exploiting a vulnerable VPN gateway;
    Obtained admin rights on the compromised machines;
    Installed a backdoor;
    Seized control of the Active Directory server;
    Infected all computers on the network with the VHD ransomware using a loader specially written for the task.

Further analysis of the tools employed showed the backdoor to be part of the multiplatform MATA framework (which some of our colleagues call Dacls). We’ve concluded that it’s another Lazarus tool.

You’ll find a detailed technical analysis of these tools, together with indicators of compromise, in the relevant article on our Securelist blog.
How to protect your company

The VHD ransomware actors are clearly a cut above average when it comes to infecting corporate computers with a cryptor. The malware is not generally available on hacker forums; rather, it’s specifically developed for targeted attacks. The techniques used to penetrate the victim’s infrastructure and propagate within the network recall sophisticated APT attacks.

This gradual blurring of the boundaries between financial cybercrime tools and APT attacks is proof that even smaller companies need to consider using more advanced security technologies. With that in mind, we recently unveiled an integrated solution with both Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) functionality. You can find out more about the solution on its dedicated page.
Reply


Messages In This Thread
The Lazarus cybercrime group uses traditional APT techniques to spread VHD ransomware - by mrtrout - 07-29-2020 , 06:58 AM

Possibly Related Threads…
Thread Author Replies Views Last Post
  Hackers Using Cracked Software on GitHub to Spread RisePro Info Stealer mrtrout 0 960 03-16-2024 , 04:20 PM
Last Post: mrtrout
  United States Sanctions Affiliates of Russia-Based LockBit Ransomware Group mrtrout 0 1,371 02-20-2024 , 08:43 PM
Last Post: mrtrout
  Hackers now use Microsoft OneNote attachments to spread malware tarekma7 0 819 01-24-2023 , 10:21 AM
Last Post: tarekma7
  Lazarus hackers use Windows Update to deploy malware Mohammad.Poorya 0 1,030 01-28-2022 , 05:33 AM
Last Post: Mohammad.Poorya
  Cybercrime Group Asking Insiders for Help in Planting Ransomware mrtrout 0 702 08-21-2021 , 10:47 PM
Last Post: mrtrout



Users browsing this thread: 1 Guest(s)