Kaspersky Lab is pleased to announce its contribution, together with Novetta and other collaborators from the broader security industry, to the "Blockbuster Enterprise". The aim of the business is to stop Lazarus Group, an extremely dangerous malware organization responsible for data destruction, as well as traditional digital espionage companies against many companies around the world. These attackers are believed to be behind the 2014 attack on Sony Pictures Entertainment, as well as the DarkSeoul campaign, which targeted 2013 and media outlets and financial institutions.
Following the famously catastrophic attack on Sony Pictures Entertainment (SPE), one of the world's most renowned filmmakers, 2014, Kaspersky Lab's Global Research and Analysis Team (GReAT) began investigating samples of Destover's malware, which had been used in the attack, as it became publicly known. This has led to a further investigation of a series of related digital espionage and sabotage campaigns, which have turned against financial institutions, the media and construction companies, among others.
Based on the common features seen in different families of malware, the company's experts managed to group dozens of individual attacks and come to the conclusion that they all belong to a threatening factor. This was confirmed by the analysis carried out by other participants in the "Blockbuster Enterprise".
The threatening player, Lazarus Group, was active several years before Sony Pictures Entertainment and appears to be still active. Kaspersky Lab and other participants in the "Blockbuster Enterprise" confirm a link between malware used in various campaigns, such as company DarkSeoul against banks and broadcasters based in Seoul, business Troy targeting military forces in South Korea and the Sony Pictures Entertainment incident.
During the investigation, Kaspersky Lab researchers exchanged preliminary findings with AlienVault Labs. Gradually, researchers from both companies decided to join forces and conduct the research together. At the same time, the activity of the Lazarus Group became the subject of research by many other companies and security experts. One of these companies, Novetta, has launched an initiative aimed at publishing the most comprehensive and useful information about the activity of the Lazarus Group. As part of Operation Blockbuster, along with Novetta, AlienVault Labs and other industry partners, Kaspersky Lab publishes its findings for the benefit of the general public.
Kaspersky Lab: Search flea f' straw ...
By analyzing multiple samples of malware detected in different digital security incidents and creating special detection rules, Kaspersky Lab, AlienVault and other Blockbuster experts were able to detect a series of attacks by the Lazarus Group.
The association and grouping of multiple samples into a single group resulted from the analysis of the methods used by this vector. In particular, it was discovered that the attackers re-used active code. In particular, they were "borrowing" pieces of code from a malicious program to use it in another.
Beyond that, the researchers were able to spot similarities in how the attackers operated. When analyzing objects from various attacks, they discovered that all droppers (special files used to installation different variants of a malicious payload) kept their payloads inside a password-protected ZIP file. The password for the files used in different campaigns was the same and was embedded inside the dropper. Password protection was put in place to prevent automated systems from extracting and analyzing the payload, but in reality it simply helped researchers identify the group.
A special method used by criminals to erase traces of their presence from an "infected" system, as well as some techniques used to avoid being detected by products antivirus, gave researchers additional means of grouping related attacks. Ultimately, dozens of different targeted attacks, whose operators were thought to be unknown, were linked to a single threat actor.
Kaspersky Lab: The "geography" of the Enterprise
The analysis of sample collection dates showed that the early ones could already have been written by 2009, several years before the notorious attack on Sony Pictures Entertainment. The number of new samples has risen dynamically from 2010. This characterizes the Lazarus Group as a constant, threatening player with long-lasting action. Based on the metadata obtained from the samples surveyed, most of the malware programs used by the Lazarus Group seem to have been compiled during working hours in the GMT + 8 and GMT + 9 time zones.
“As we predicted, the number of attacks that destroy data is growing steadily. This type of malware is proving to be an extremely effective type of cyber-weapon. The power to "clean" thousands of computers with the push of a button is a major reward for a Computer Network Exploitation team tasked with misinformationand disruption of the operations of a target company. Its value as part of a "hybrid war", where these attacks are combined with physical attacks to paralyze a country's infrastructure, remains an interesting "thought experiment", but one that is closer to reality than we imagine - and we cannot be comfortable with such an event. Together with our security industry partners, we are proud to have dealt a major blow to the businesses of a rogue actor eager to exploit these destructive techniques"Said Juan Guerrero, Kaspersky Lab's Senior Security Researcher.
"This organization has the necessary abilities and determination to carry out digital espionage operations to steal data or cause damage. Combining the above with the use of misinformation and deception techniques, attackers could successfully implement several businesses in recent years, "said Jaime Blasco, Chief Scientist of AlienVault. "The" Blockbuster Enterprise "is an example of how our sector, with the exchange of information and cooperation, can set the bar higher and prevent such players from continuing their activities," he added.
"Through 'Operation Blockbuster', Novetta, Kaspersky Lab and our partners, we continue efforts to establish a methodology to stop the activities of attack actors with a global reach, but also to limit their efforts to cause further damage" , commented Andre Ludwig, Novetta's Senior Technical Director Threat Research and Interdiction Group. "The level of in-depth technical analysis carried out for 'Operation Blockbuster' is rare, and the fact that we shared our findings with other industry partners for the benefit of all is even rarer," he concluded. .
More details about Kaspersky Lab's findings on Lazarus Group's action are available on the site Securelist.com.
More details about Novetta's findings on Lazarus Group's action are available on the site www.OperationBlockbuster.com.
