“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.
The notorious North Korean “Lazarus Group”, has added an in-memory, or file-less, trojan to their arsenal. Like other infections from this group, the attack begins as a fake cryptocurrency application that uses social engineering. It tricks the user into installing and running what they believe is a legitimate application. This portion of the attack is similar to the previous 'Applejeus' malware.
After launch, the malware displays its new functionality: the secondary payload. This payload is the active part of the campaign responsible for actions on objectives. It is performed in-memory without having to install further files on the hard drive. As a result, it is effective at evading today’s endpoint detection solutions.
The Lazarus Group also introduced a new Remote Access Trojan (RAT) that works on both Windows and Linux systems. This RAT, dubbed "Dacls", is modular in functionality with plugins that can provide the following functionalities:
Test network access
C2 connection agent
Network scanning module
Dacls is the first piece of malware belonging to Lazarus Group that can be utilized in Linux attacks.
In addition to the new fileless trojan and RAT with Linux capabilities, SentinelOne researchers observed the Lazarus Group collaborating with the cybercrime organization behind Trickbot on an attack framework named "Anchor Project". This is the first-time researchers have seen an APT group align itself with an underground cybercriminal organization. This has security professionals on edge. Trickbot was developed in 2016 as a banking malware, but has developed into a “a flexible, universal, module-based crimeware solution” evolved “to specifically attack corporations,” the researchers said.