Lazarus APT Backdoor

Hi!
Lazarus is in touch, I found a sample in our sandbox and after an explanation from @h2jazi and @jaydinbas it turns out we are on the same vibe for which we thank them!
Look at the rules:

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Lazarus APT Related Backdoor Activity (POST) M1";flow: established, to_server; http.method; content: "POST"; http.request_body;content: "mpVI=";  depth: 5;base64_decode:bytes 60, offset 5; base64_data; pcre: "/^((?:[A-F0-9]{2}[:-]){5}[A-F0-9]{2})/"; content: ",";  offset:17; depth:1;content: ",";  within:16;pcre: "/^(?:25[0-5]|2[0-4]\d|[0-1]?\d{1,2})(?:\.(?:25[0-5]|2[0-4]\d|[0-1]?\d{1,2})){3},/R"; reference: md5,6277fee38a64f218291c73db5326e1bf; reference: url,twitter.com/h2jazi/status/1681426768597778440?s=20; reference: url,app.any.run/tasks/4c09692b-50a2-4b5f-8dd9-c9af96bcf226; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family Lazarus, created_at 2023_07_20; classtype: command-and-control; sid: 1; rev: 1;)
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Lazarus APT Related Backdoor Activity (POST) M2";flow: established, to_server; http.method; content: "POST"; http.request_body;content: "mpCMD="; depth: 6;content: "&mpVID="; distance: 0; pcre: "/^((?:[A-F0-9]{2}[:-]){5}[A-F0-9]{2})$/R";reference: md5,6277fee38a64f218291c73db5326e1bf; reference: url,app.any.run/tasks/2181b40d-b46a-4fa6-81d4-5eb2e3d9b845; reference: url,twitter.com/h2jazi/status/1681426768597778440?s=20;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family Lazarus,  created_at 2023_07_20; classtype: command-and-control;sid: 2; rev: 1;)

Have a nice day, hugs!

Hi Jane,

What a nice day for new Lazarus sigs B). Thank you, @h2jazi, and @jaydinbas for the research and sharing these with ET. I’ll add these sigs to today’s release.

Take care!

Hey there!

Update: It appears that sigs were already created for the @h2jazi thread referenced in your subimission, twitter.com/h2jazi/status/1681426768597778440.

These were the new rules:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Andariel RexPot CnC Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; http.user_agent; content:"Mozilla/88.0"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:"mpVI="; fast_pattern; startswith; reference:md5,842b0d0eb01716a9f526acd866d8bad3; reference:url,twitter.com/h2jazi/status/1681426768597778440; classtype:trojan-activity; sid:2046881; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_07_21, deployment Perimeter, former_category MALWARE, malware_family RexPot, performance_impact Low, confidence High, signature_severity Major, tag Andariel, updated_at 2023_07_21; target:src_ip;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Andariel RexPot CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; http.user_agent; content:"Mozilla/88.0"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:"mpCMD="; fast_pattern; content:"mpVID="; reference:md5,842b0d0eb01716a9f526acd866d8bad3; reference:url,twitter.com/h2jazi/status/1681426768597778440; classtype:trojan-activity; sid:2046882; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_07_21, deployment Perimeter, former_category MALWARE, malware_family DTrack, performance_impact Low, confidence High, signature_severity Major, tag Lazarus, updated_at 2023_07_21; target:src_ip;)

These “ET MALWARE Suspected Andariel RexPot CnC Checkin” sigs should cover similar activity intended by your submission. And so, to keep the ruleset slim, this submission will not be added to today’s release.

Nevertheless, thanks again for the submission!

I read some documents on Andariel :
Andariel deploys DTrack and Maui ransomware | Securelist https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf
and everything that is on malpedia) and did not find any intersection either in terms of goals or techniques or tactics. There is also a doubt about the use of dtrack https://twitter.com/jaydinbas/status/1681427701905915909?s=20
An exception is where the task schedule is also used there
Analysis javaupdatemain.tmp (MD5: 9758EFCF96343D0EF83854860195C4B4) Malicious activity - Interactive analysis ANY.RUN .
I took a wider attribution, since the goals of lazarus are purely military, as in the decoy article - https://wezard4u.tistory.com/6519 and used the backdoor label, such periodic connections to the command server are characteristic of the backdoor. - Analysis 미군 구인공고 웹사이트 주소 및 사용방법 안내.zip (MD5: 6277FEE38A64F218291C73DB5326E1BF) Malicious activity - Interactive analysis ANY.RUN

Awesome references. I pointed this conversation to another PFPT peer (Hi Greg!); they promised to share some attribution insight within the Twitter thread provided.

To summarize for folks outside of Twitter (X??), Andariel is a subgroup of North Korean activity under the “Lazarus” umbrella. It was used as it was more specific.

Thank you, he tweeted yesterday.
Please note that both rules are for the conshost.exe process, but in the first case it is 2046881 malware_family RexPot, and in the other 2046882
malware_family DTrack for now I will add both tags to the sandbox for each rule.

Best regards, Jane.