Kaspersky Lab is pleased to announce its contribution, together with Novetta and other collaborators from the broader security industry, to the "Blockbuster Enterprise". The aim of the business is to stop Lazarus Group, an extremely dangerous malware organization responsible for data destruction, as well as traditional digital espionage companies against many companies around the world. These attackers are believed to be behind the 2014 attack on Sony Pictures Entertainment, as well as the DarkSeoul campaign, which targeted 2013 and media outlets and financial institutions.
Following the famously catastrophic attack on Sony Pictures Entertainment (SPE), one of the world's most renowned filmmakers, 2014, Kaspersky Lab's Global Research and Analysis Team (GReAT) began investigating samples of Destover's malware, which had been used in the attack, as it became publicly known. This has led to a further investigation of a series of related digital espionage and sabotage campaigns, which have turned against financial institutions, the media and construction companies, among others.
Based on common features observed in different malware families, its experts companys managed to group dozens of individual attacks and come to the conclusion that they all belong to a single threat actor. This was also confirmed by the analysis conducted by the other participants in "Operation Blockbuster".
The threatening player, Lazarus Group, was active several years before Sony Pictures Entertainment and appears to be still active. Kaspersky Lab and other participants in the "Blockbuster Enterprise" confirm a link between malware used in various campaigns, such as company DarkSeoul against banks and broadcasters based in Seoul, business Troy targeting military forces in South Korea and the Sony Pictures Entertainment incident.
During the investigation, Kaspersky Lab researchers exchanged preliminary findings with AlienVault Labs. Gradually, researchers from both companies decided to join forces and conduct the research together. At the same time, the activity of the Lazarus Group became the subject of research by many other companies and security experts. One of these companies, Novetta, has launched an initiative aimed at publishing the most comprehensive and useful information about the activity of the Lazarus Group. As part of Operation Blockbuster, along with Novetta, AlienVault Labs and other industry partners, Kaspersky Lab publishes its findings for the benefit of the general public.
Kaspersky Lab: Search flea f' straw ...
By analyzing multiple samples of malware detected in different digital security incidents and creating special detection rules, Kaspersky Lab, AlienVault and other Blockbuster experts were able to detect a series of attacks by the Lazarus Group.
The association and grouping of multiple samples into a single group resulted from the analysis of the methods used by this vector. In particular, it was discovered that the attackers re-used active code. In particular, they were "borrowing" pieces of code from a malicious program to use it in another.
Beyond that, the researchers were able to spot similarities in how the attackers operated. When analyzing objects from various attacks, they found that all droppers (especially archives που χρησιμοποιούνται για την εγκατάσταση διαφορετικών παραλλαγών ενός κακόβουλου φορτίου) διατηρούσαν τα ωφέλιμα φορτία τους μέσα σε ένα αρχείο ZIP προστατευμένο με κωδικό. Ο κωδικός access for the files used in different campaigns it was the same and it was embedded inside the dropper. Password protection was put in place to prevent automated systems from extracting and analyzing the payload, but in reality it simply helped researchers identify the group.
A special method used by criminals to erase traces of their presence from an "infected" system, as well as some techniques used to avoid detection by antivirus products, gave the researchers additional means of grouping the attacks . In the end, dozens of different targeted attacks, whose managers were considered unknown, were linked to a single threatening entity.
Kaspersky Lab: The "geography" of the Enterprise
The analysis of sample collection dates showed that the early ones could already have been written by 2009, several years before the notorious attack on Sony Pictures Entertainment. The number of new samples has risen dynamically from 2010. This characterizes the Lazarus Group as a constant, threatening player with long-lasting action. Based on the metadata obtained from the samples surveyed, most of the malware programs used by the Lazarus Group seem to have been compiled during working hours in the GMT + 8 and GMT + 9 time zones.
“As we predicted, the number of attacks that destroy data is growing steadily. This type of malware is proving to be an extremely effective type of cyber-weapon. The power to "clean" thousands of computers with the push of a button is a significant reward for a Computer Network Exploitation team tasked with disinformation and disruption of a target business. Its value as part of a "hybrid war", where these attacks are combined with physical attacks to paralyze a country's infrastructure, remains an interesting "thought experiment", but one that is closer to reality than we imagine - and we cannot be comfortable with such an event. Together with our security industry partners, we are proud to have dealt a major blow to the businesses of a rogue actor eager to exploit these destructive techniques"Said Juan Guerrero, Kaspersky Lab's Senior Security Researcher.
"This entity has the necessary capabilities and determination to carry out digital espionage operations, with the aim of stealing data or causing damages. By combining the above with the use of disinformation and deception techniques, attackers have been able to successfully implement various operations in recent years,” said Jaime Blasco, Chief Scientist at AlienVault. "Operation Blockbuster" is an example of how our sector, with the antichange information and cooperation, can set the bar higher and prevent such entities from continuing their activities," he added.
"Through Blockbuster, Novetta, Kaspersky Lab and our associates, we are continuing our efforts to establish a methodology to stop the activities of global attack agencies and to limit their efforts to cause further damage" , Andre Ludwig, Senior Technical Director of the Novetta Threat Research and Interdiction Group, commented: "The level of in-depth technical analysis for the" Blockbuster Company "is rare and the fact that we shared our findings with other industry partners, th we all benefit, it is even more rare, "he concluded.
More details about Kaspersky Lab's findings on Lazarus Group's action are available on the site Securelist.com.
More details about Novetta's findings on Lazarus Group's action are available on the site www.OperationBlockbuster.com.
