As seen by security researchers across the world and proven in a joint research by McAfee and Intezer, Lazarus, one of the groups operating from North Korea, has consistently reused code in their malware toolset. There is a common pattern among the code of the malware that researchers and reverse engineers alike find during their analysis. It has already been known that they have used open source projects, like one from CodeProject we documented in another blog post, or open source RATs like Gh0st RAT.
This code, as described, has always been thought to be created originally by the DPRK since the time they are thought to have started being active in 2007 until the present. We recently found some samples via our Vaccine feature (Yara signatures) on VirusTotal with very low detections dating back to 2016 which led us to find the origins of their toolset – an open source RAT called CasperPhpTrojan, available on a Chinese website for open source projects.
Originally, the sample that we found in the wild, hit a Lazarus signature and only had 3/65 detections. After checking it in Intezer Analyze™, we saw code reuse with Red Gambler, as originally reported by AhnLab.
We can also see on the trojan that the internal name for this module is called “DllTroy.dll” which is known to be associated with Lazarus.
The string reuse is where the interesting finding comes from and will soon reveal where we got the name CasperTroy from. The reused strings are in general Lazarus samples used throughout different cyber campaigns, Operation Troy, a Lazarus cyber campaign beginning in 2011, and Prioxer, another tool in their arsenal.
We see the same overlap of strings and decided to search “7d414e351603fa” on Google, resulting in only 7 results, which will bring us to the next topic of this research – where did DPRK’s malware toolset originate?
THE ORIGINS: CASPERPHPTROJAN
The source code to this open source trojan, CasperPhpTrojan, was originally posted on a Chinese open source project website pudn[.]com. We downloaded the source code, read through it, compiled it, and recognized similar occurrences in Lazarus malware. We would like to show you some of the evidence we have gathered by comparing the original code to the disassembly of different Lazarus binaries. Also, much of this evidence has been documented in a previous blog post (http://intezer.com/blockbusted-lazarus-blockbuster-north-korea/) where we spoke about strange occurrences in the code and the same code being reused again and again — even when the code was believed to be a mistake, like the third example below.
- HTTP Header (various campaigns & malware)
(Disassembly of multiple different Lazarus samples)
- TrojUploader Function
- GetProcAddress(LoadLibrary(“Kernel32.dll”), “GetProcAddress”);
(Lazarus samples from 2014 and 2017)
- API Resolution
(Various Lazarus samples)
Although there are many modifications Lazarus made to CasperPhpTrojan, the base is primarily the same and we believe that when the source code is compiled under the correct environment with the correct flags, we can find even more correlations between the compiled code and Lazarus binaries. It looks like it is the base of their toolset and may strengthen the reason why we found so many code connections between Lazarus malware in our comprehensive research with McAfee about the DPRK. You might want to look at our timeline of attacks and the related files with code reuse on our DPRK timeline.
CasperTroy (2016) Droppers:
CasperTroy (2016) RATs:
Shared Code Examples: