Commonly Known Tools Used by Lazarus
It is widely known that attackers use Windows commands and tools that are commonly known and used after intruding their target network. Lazarus attack group, a.k.a. Hidden Cobra, also uses such tools to collect information and spread the infection. This blog post describes the tools they use.
These three tools are used for lateral movement. AdFind collects the information of clients and users from Active Directory. It has been observed that other attack groups also used the tool . SMBMap is used to have their malware infect other hosts. (Also check out our previous blog post on Lazarus.) It has also been observed that Responder-Windows was used to collect information in the network.
|AdFind||Command line tool to collect information from Active Directory||http://www.joeware.net/freetools/tools/adfind/|
|SMBMap||Tool to list accessible shared SMB resources and access those files||https://github.com/ShawnDEvans/smbmap|
|Responder-Windows||Tool to lead clients with spoof LLMNR, NBT-NS, and WPAD||https://github.com/lgandx/Responder-Windows|
Stealing sensitive data
These three tools are used for information theft. Tools for such a purpose are used only in certain cases because malware itself usually has similar functions. Tools for collecting account information from browsers and email clients are particularly used. Attackers often archives collected files in RAR before exfiltration, and so does Lazarus attack group using WinRAR. As we mentioned in our previous blog post, the malware can archive files in zlib and send them. It means that files are not always sent in RAR.
|XenArmor Email Password Recovery Pro||Tool to extract credentials from email clients and services||https://xenarmor.com/email-password-recovery-pro-software/|
|XenArmor Browser Password Recovery Pro||Tool to extract credentials from web browsers||https://xenarmor.com/browser-password-recovery-pro-software/|
These following tools are used for other purposes. Attackers sometimes create backdoors in the infected network using RDP, TeamViewer, VNC, and other applications. It is confirmed that Lazarus has used VNC and a common Microsoft tool ProcDump before. ProcDump is sometimes used when attackers attempt to extract user credentials from the LSASS process dump. Windows' counterpart of common Linux tools such as tcpdump and wget are also used.
|TightVNC Viewer||VNC client||https://www.tightvnc.com/download.php|
|ProcDump||Common Microsoft's tool to get process memory dump||https://docs.microsoft.com/en-us/sysinternals/downloads/procdump|
|tcpdump||Packet capturing tool||https://www.tcpdump.org/|
This blog post described tools used by Lazarus group. Although their malware contains many functions as we already covered in other blog posts, they still supplement it with tools which are widely available and commonly known. It should be noted that anti-virus software may not detect such tools.
The hash values of the tools covered in this blog post are listed in Appendix A.
(Translated by Takumi Nakano)
 Cybereason: Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware
Appendix A: Hash value
Be careful when using these hash values as IoC. The list contains tools that are commonly used for non-malicious purposes.
XenArmor Email Password Recovery Pro
XenArmor Browser Password Recovery Pro