Lazarus Group

APT / StateG0032
OriginCoreia do Norte
Techniques (MITRE ATT&CK)93
SourceMITRE ATT&CK
Also known as:Labyrinth ChollimaHIDDEN COBRAGuardians of PeaceZINCNICKEL ACADEMYDiamond Sleet

Vexday analysis

Lazarus Group é um grupo de ameaça persistente avançada (APT) patrocinado pelo Estado norte-coreano e atribuído ao Reconnaissance General Bureau (RGB), ativo pelo menos desde 2009. O grupo, rastreado pela MITRE ATT&CK sob o identificador G0032 e também conhecido pelos aliases Labyrinth Chollima, HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY e Diamond Sleet, é apontado como responsável pelo ataque destrutivo de novembro de 2014 contra a Sony Pictures Entertainment, identificado pela Novetta como parte da Operação Blockbuster. Malwares associados ao grupo foram correlacionados a outras campanhas documentadas, incluindo Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul e Ten Days of Rain. Ao todo, 93 técnicas MITRE ATT&CK foram documentadas em suas operações, além de uma CVE atribuída ao grupo.

Techniques (MITRE ATT&CK) 93

How the group operates, mapped to the MITRE ATT&CK matrix and organized by the phases of an attack.

Reconnaissance
Email AddressesGather Victim Org Information
Resource development
DomainsWeb ServicesServerSocial Media AccountsEmail AccountsMalwareToolDigital Certificates
Initial access
Drive-by CompromiseSpearphishing AttachmentSpearphishing LinkSpearphishing via Service
Execution
Windows Management InstrumentationScheduled TaskPowerShellWindows Command ShellVisual BasicNative APIExploitation for Client ExecutionMalicious File
Persistence
Account ManipulationWindows ServiceRegistry Run Keys / Startup FolderShortcut Modification
Credential access
Password SprayingName Resolution Poisoning and SMB Relay
Discovery
Application Window DiscoveryQuery RegistrySystem Network Configuration DiscoverySystem Owner/User DiscoveryNetwork Service DiscoverySystem Network Connections DiscoveryProcess DiscoverySystem Information DiscoveryFile and Directory DiscoverySystem Time DiscoveryLocal Storage Discovery
Lateral movement
Remote Desktop ProtocolSMB/Windows Admin SharesSSH
Collection
Data from Local SystemKeyloggingLocal Data StagingArchive Collected DataArchive via LibraryArchive via Custom Method
Command and control
Protocol or Service ImpersonationFallback ChannelsWeb ProtocolsInternal ProxyExternal ProxyBidirectional CommunicationMulti-Stage ChannelsIngress Tool TransferStandard EncodingNon-Standard PortSymmetric Cryptography
Exfiltration
Exfiltration Over C2 ChannelExfiltration Over Unencrypted Non-C2 Protocol
Impact
Data DestructionService StopInternal DefacementSystem Shutdown/RebootDisk Content WipeDisk Structure Wipe
defense-impairment
Code SigningDisable or Modify ToolsWindows Host Firewall
stealth
Dynamic API ResolutionEmbedded PayloadsEncrypted/Encoded FileRename Legitimate UtilitiesMasquerade Task or ServiceMatch Legitimate Resource Name or LocationDynamic-link Library InjectionIndicator RemovalClear Command HistoryFile DeletionTimestompValid AccountsCreate Process with TokenDeobfuscate/Decode Files or InformationIndirect Command ExecutionSystem Binary Proxy ExecutionMshtaRundll32BootkitHidden Files and DirectoriesDLLKernelCallbackTableReflective Code Loading

Exploited vulnerabilities 1

CVEs this group is known to exploit, per MITRE ATT&CK. Ordered by real-world severity.

CVE-2018-4878HIGHEPSS 90%KEV

Lazarus Group uses real techniques and exploits real flaws. TrueHacking's AI Autonomous Pentest simulates these attacks against your infrastructure and brings more security to your application.

Explore the AI Autonomous Pentest →