## Lazarus Group’s Large-scale Threats via Watering Hole and Financial Software ##### Long-standing work norms derived from historical practices ###### 2024. 1. 25. THU ##### Dongwook Kim, Seulgi Lee KrCERT/CC ----- ##### Dongwook Kim (kimdw777@kisa.or.kr) ###### Incident Analyst KrCERT/CC ##### Seulgi Lee (sglee@kisa.or.kr) ###### Malware Analyst KrCERT/CC ----- ###### Hacktivist Supply Chain Attack Financial Security Software ----- ----- ### Startup program (24/7) ###### User (TARGET) ### Targeted Attack #### - Watering Hole - IP Filtering ###### Exploit Server #### - Response Time - Compatibility ###### Financial Security S/W ----- ##### • Initial Access • Zero-day exploit code • Fully Targeted Attack • Command and Control: Web-based Command and Control Systems • Execution: Execute malwares via service (in netsvcs) • Persistence • HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages → C:\Windows\System32\ ----- Access Community Website Target IP Filtering & Redirect Fake License Server Victim Exploit Server Install Fake License Fake License Server Malware Download & Execute Malware Distribution Server ##### ���� Victim ----- Target IP Filtering & Redirect Send Spear Phishing Email Click the Link Victim Exploit Server Malware Download & Execute Malware Distribution Server ##### ���� Victim ----- View Internet Article Target IP Filtering Victim Exploit Server Activate SW module Malware Download & Execute Malware Distribution Server ##### ���� ----- ##### ���� ���� ----- Document ##### ���� DMS Server ----- Server ##### ���� ----- ##### ���� ���� ���� ���� ----- ----- ##### ���� ���� ###### C:\Windows\System32\asap.dll C:\Windows\System32\thproc.sys C:\Windows\System32\gmrproc.sys C:\Windows\System32\gmasvc.dll ###### C:\Windows\System32\cgproc.sys C:\Windows\System32\WndmPmSps.dll C:\Windows\System32\nrproc.sys C:\Windows\System32\srcsvc.dat ----- ##### • Initial Access • Zero-day exploit code • Fully Targeted Attack • Command and Control: Web-based Command and Control Systems • Execution: Execute malwares via service (in netsvcs) • Persistence • HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages → C:\Windows\System32\ ----- # Q&A -----