Cyber attacks from the Lazarus Group, a threat actor associated with North Korea, has not slowed down and their malware toolset continues to evolve. A few months ago, we published a general research of the Lazarus Group and the Blockbuster campaign including code reuse and similarities throughout their malware up until the latest news regarding targeting bitcoin and cryptocurrency exchanges. In recent attacks, the Lazarus Group has been spreading malicious documents with a RAT embedded inside that gets executed through a VBA macro. These malicious documents contained a job description for different positions in various industries.
Through our research, we came across a new malicious document where we have found changes and a continuation to their campaign targeting potential cryptocurrency exchanges, FinTech, financial companies, and others who might be involved with cryptocurrencies. The malicious document came embedded with an upgraded and revamped version of a RAT they have added to their arsenal.
The malicious document’s original creation name is “Investment Proposal.doc” and attempts to impersonate an employee of an Australia based law firm for commercial and financial services named Holley Nethercote. The document states that they have evaluated several cryptocurrencies and they have put together an investment proposal aimed at FinTech, financial, and other companies who might be interested in taking an investment. As can be seen in the photos of the document below, the document is of very low quality, meaning there are inconsistencies and typos everywhere in a document supposedly from a law firm.
The first page contains a basic description of what the investment proposal involves. Take note of the name “Kate Harris,” a director from Holley Nethercote, by whom the document was supposedly written.
The second page is a general description of the company Holley Nethercote which is directly taken from the first page of a PDF on the company’s website.
The third page is a list of their employees and staff as can also be found on their website. Remember Kate Harris, the director, from before? Shockingly enough, she does not exist on this list.
The fourth page contains a chart of various cryptocurrencies and random values associated with them. The interesting point here is the date of a Bitcoin price that it mentions from February 9th, 2018 which helps us put on a timeline of when this malicious document was originally created.
The fifth page states how they would like to invest $50M in the company that received this document and contains some typos like “out” instead of “our” and other grammatical errors.
The sixth page is a very poorly written document supposedly signed by the CEO of Holley Nethercote involving the investment proposition. It also contains various typos and grammatical errors with the general flow not making sense.
The seventh and last page contains some fake contact information including a phone number from the UK that is from an online service that allows you to receive an SMS through the website.
Upon launching the document, an obfuscated VBA macro is executed to drop and execute an embedded remote access tool.
(embedded VBA macro)
The embedded RAT is dropped to and executed from %USERPROFILE%\RuntimeBroker.exe. More evidence besides the date in the content of the document, pointing to this malware out in February is that we can also see the compilation timestamp is from February 14, 2018 and the upload date was on March 2, 2018.
After uploading the RAT to Intezer Analyze™, we found 4% of the code to have been used in previous malware attributed to the Lazarus group, but 85% of the code base is completely unique. This says to us that they made some changes to their code.
The first code that gets executed within the RAT first decrypts a locally created, XOR encrypted buffer of names of modules and imports that it resolves via GetProcAddress. Resolving the binary’s own imports in this manner is very common in many of the previous Lazarus attributed malware.
Next, the RAT creates a shortcut of itself to %USERPROFILE%\Start Menu\Programs\Startup\RuntimeBroker.lnk in order to maintain persistence and sets the attributes of itself using SetFileAttributesW to HIDDEN | SYSTEM | NORMAL. Inside of the function that is used for setting up the persistence, we can find a call to a function that is responsible for decrypting a buffer containing multiple wide strings used throughout the binary.
As can be seen in the function, it uses a very basic decryption routine to decrypt the locally stored buffer. The decrypted buffer is as follows:
The parameter to the function responsible for decrypting this buffer is an offset to grab a string from this decrypted buffer by multiplying it by two, since these are wide strings.
Strangely enough, a lot of these strings are not used anywhere in the binary. By the strings, you can see there is an intention of including a simple anti-VM technique to detect VirtualBox. There is also one more function located within the binary, responsible for the same functionality with a different buffer containing different strings.
Following all of this, the RAT then creates a backdoor which then waits to receive commands from the various C&C servers.
The C&C handler used to follow a pattern of command IDs but it appears to have changed to random command values and contains commands with new functionality. Their handler is able to handle 22 different commands and the descriptions of each can be found in the chart below.
|0xF4004A||Execute cmd.exe and output results to temp file or retrieve CD via GetCurrentDirectoryW.
Cmd.exe /c “<cmd> > <temp file>” 2>&1
|0x460017||Collect various information about the hard drive such as the space and volume information|
|0x7C00E6||Collect various information about the computer such as the computer name, username, host name, and more.|
|0x6400E5||Creates new process via CreateProcessW|
|0xBE007B||Collect data about running processes by traversing the process list via CreateToolhelpSnapshot32 related APIs|
|0x8500AF||Terminates a process by name|
|0xC004B||Gets specific file(s) data such as filenames, times, and attributes|
|0xD7007C||Collects a file and sends it to the C&C|
|0x3300E2||Zips file(s) to temp and sends archive to C&C|
|0x9D00B0||Write a file received from the server|
|0x200DF||Write a 5mb file with random bytes|
|0x6C00AE||Overwrites entire file(s) contents with 0xCC and then deletes the file|
|0xFD0013||Recursively traverse directory collecting file information|
|0x3C00AB||Checks if socket write access is valid to a given address|
|0x4B00E3||Sets file(s) time via SetFileTime|
|0x5400AC||Updates socket configuration|
|0x1B00E1||Renames file and sets attributes|
|0x750077||Elevate process privileges|
|0xCC0010||Inject code received by server into process|
|0x150014||Pong response to ping|
The binary uses wolfSSL to encrypt the network traffic containing two different certificates and one private key. The certificates are stored in a local buffer of a function located within the binary.
-----BEGIN CERTIFICATE----- MIIDYjCCAkqgAwIBAgIIAT8TuSzaBG4wDQYJKoZIhvcNAQELBQAwZjELMAkGA1UE BhMCVVMxGTAXBgNVBAoMEEdsb2JhbFNpZ24gbnYtc2ExPDA6BgNVBAMMM0dsb2Jh bFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0EgLSBTSEEyNTYgLSBHMjAi GA8yMDE3MDkyNDA3MDMzOFoYDzIwMTkwMjA3MDcwMzM4WjBmMQswCQYDVQQGEwJV UzEZMBcGA1UECgwQR2xvYmFsU2lnbiBudi1zYTE8MDoGA1UEAwwzR2xvYmFsU2ln biBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBDQSAtIFNIQTI1NiAtIEcyMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRCW804H0ryTXUQ8bY1 n9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3Jcncy6sqQu2lSEAMv qPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2nonqNOCkcrMft8nyV sJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4fcnlwtfaQG/YIdxz G0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1oGP1Vi+jJtK3b7Fa F9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zYKLNLve02eQIDAQAB oxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA261N1CtZuZ4Mf 5Q+KghudGcp+sG2X1UzQ8eZqYK+6xmIClKWSQ3EhWB19zor2dOOb2fRJ4iw72Lhy cH57R84whQSqqY9tqjwwulavMAzdBlz3RqsnAqdL5C6jeEfJmxmymH4Jz6kqJbCh H1LVp6ToJ+lYA0QoCxkMqe6jCWE5K8QefM/kx8WhROJTdHHUKjFXFmon/fIJUAxo SesxW3+YPeY7zzBUIjh0lYMhiyvXMDIMLo9zewR2nfi3aAa+APwAulTjm46dbH4K cn7jc8IOt954R5jakc0AhtSZUHlPqKKHZy19iDfpcoFA7L/WuiNkfYPvN6eaxAvA b3dxfi8N -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDgTCCAmmgAwIBAgIIAUyTG93zLTEwDQYJKoZIhvcNAQELBQAwZjELMAkGA1UE BhMCVVMxGTAXBgNVBAoMEEdsb2JhbFNpZ24gbnYtc2ExPDA6BgNVBAMMM0dsb2Jh bFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0EgLSBTSEEyNTYgLSBHMjAi GA8yMDE3MDkyNDA3MDUyMVoYDzIwMTkwMjA3MDcwNTIxWjCBljELMAkGA1UEBhMC VVMxEDAOBgNVBAgMB05ld1lvcmsxEzARBgNVBAcMClJpdmVyIFZpZXcxIzAhBgNV BAoMGldpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMuMRgwFgYDVQQDDA8qLndpa2lw ZWRpYS5vcmcxITAfBgkqhkiG9w0BCQEWEmluZm9Ad2lraXBlZGlhLm9yZzCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2q KlIHR9amNrIHMo7Quml7xsNEntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEe e5sDR5q/Zcx/ZSRppugUiVvkNPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0Ybf N1EbDKE79fGjSjXk4c6W3xt+v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaD uh5AciIX11JlJHOwzu8Zza7/eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbb bfqsu/8lTMTRefRx04ZAGBOwY7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEA ATANBgkqhkiG9w0BAQsFAAOCAQEAGjef4dfuIkF7MdfLs4x5KqzM4/5+h1lS+SWS ojTaAuH2++1pGgVV4vfGB9QVxoTDkcp5wWjw184x+P19Fjio+ucUUOmFmD7BERXX V4NZMv/TwucAbRIb6/FRv13Koigi05tIhXesownpbMZq7p6I9P9GAd/Uu7XCMTPO UHpuTtNoI+tjwwBhZK0XXp5ORdHKWbXfLXQgiCXLPJntKdrRnUzJpXvYQzTeZKxf dQmjS8QN8IFtvBuprb3grAhm/wV+ueerTcM/wyBOu/7gg0J7CsjztqtomIHYAbpi x5pf3b6mzKG72ibnaKgL29wur5Cs+8in9d8/kOxgTpWbzZc35A== -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAwwPRK/45pDJFO1PIhCsqfHSavaoqUgdH1qY2sgcyjtC6aXvG w0Se1IFI/S1oootnu6F1yDYsStIb94u6zw357+zxgR57mwNHmr9lzH9lJGmm6BSJ W+Q098WwFJP1Z3s6enjhAVZWkaYTQo3SPECcTO/Rht83URsMoTv18aNKNeThzpbf G36/TpfQEOioCDCBryALQxTFdGe0MoJvjYbCiECZNoO6HkByIhfXUmUkc7DO7xnN rv94bHvAEgPUTnINUG07ozujmV6dyNkMhbPZitlUJttt+qy7/yVMxNF59HHThkAY E7BjtXJOMMSXhIYtVi/XFfd/wK71/Fvl+6G60wIDAQABAoIBAQCi5thfEHFkCJ4u bdFtHoXSCrGMR84sUWqgEp5T3pFMHW3qWXvyd6rZxtmKq9jhFuRjJv+1bBNZuOOl yHIXLgyfb+VZP3ZvSbERwlouFikN3reO3EDVou7gHqH0vpfbhmOWFM2YCWAtMHac PM3miO5HknkLWgDiXl8RfH35CLcgBokqXf0AqyLh8LO8JKleJg4fAC3+IZpTW23T K6uUgmhDNtj2L8Yi/LVBXQ0zYOqkfX7oS1WRVtNcV48flBcvqt7pnqj0z4pMjqDk VnOyz0+GxWk88yQgi1yWDPprEjuaZ8HfxpaypdWSDZsJQmgkEEXUUOQXOUjQNYuU bRHej8pZAoGBAOokp/lpM+lx3FJ9iCEoL0neunIW6cxHeogNlFeEWBY6gbA/os+m bB6wBikAj+d3dqzbysfZXps/JpBSrvw4kAAUu7QPWJTnL2p+HE9BIdQxWR9OihqN p1dsItjl9H4yphDLZKVVA4emJwWMw9e2J7JNujDaR49U0z2LhI2UmFilAoGBANU4 G8OPxZMMRwtvNZLFsI1GyJIYj/WACvfvof6AubUqusoYsF2lB9CTjdicBBzUYo6m JoEB/86KKmM0NUCqbYDeiSNqV02ebq2TTlaQC22dc4sMric93k7wqsVseGdslFKc N2dsLe+7r9+mkDzER8+Nlp6YqbSfxaZQ3LPw+3QXAoGAXoMJYr26fKK/QnT1fBzS ackEDYV+Pj0kEsMYe/Mp818OdmxZdeRBhGmdMvPNIquwNbpKsjzl2Vi2Yk9d3uWe CspTsiz3nrNrClt5ZexukU6SIPb8/Bbt03YM4ux/smkTa3gOWkZktF63JaBadTpL 78c8Pvf9JrggxJkKmnO+wxkCgYEAukSTFKw0GTtfkWCs97TWgQU2UVM96GXcry7c YT7Jfbh/h/A7mwOCKTfOck4R1bHBDAegmZFKjX/sec/xObXphexi99p9vGRNIjwO 8tZR9YfYmcARIF0PKf1b4q7ZHNkhVm38hNBf7RAVHBgh58Q9S9fQnmqVzyLJA3ue 42AB/C8CgYAR0EvPG2e5nxB1R4ZlrjHCxjCsWQZQ2Q+1cAb38NPIYnyo2m72IT/T f1/qiqs/2Spe81HSwjA34y2jdQ0eTSE01VdwXIm/cuxKbmjVzRh0M06MOkWP5pZA 62P5GYY6Ud2JS7Dz+Z9dKJU4vjWrylznk1M0oUVdEzllQkahn831vw== -----END RSA PRIVATE KEY-----
As we can see, the Blockbuster campaign and the Lazarus group are still active and have shown a continued interest in cryptocurrencies and companies surrounding cryptocurrency. Numerous exchanges are believed to have been hacked by the Lazarus group and there has been a significant amount of money stolen by doing so. Since their efforts have been so successful, it does not look like they will slow down anytime soon with these types of targets.
Malicious Document – 6b424d75445b3dabfb9b20895d0a1ce1430066ce7f3fcd87aa41fa32260ff92d