Keanna Grelicha, Counterintelligence and Cyber (CICYBER) Team
Week of Monday, November 15, 2021
Mimi Aram-Walker, Editor; Clea Guastavino, Senior Editor
Lazarus Integrated Development Environment[1]
Lazarus, a North Korean State-sponsored advanced persistent threat (APT) group, conducted several cyberattacks in November 2021 using a trojanized Interactive Disassembler (IDA) Pro application against US-based cybersecurity researchers.[2] Cybersecurity researchers use IDA Pro to translate machine language so that programs can be analyzed for any malicious bugs or technology-related human input errors, though the application tends to be expensive.[3] The targets very likely installed a malicious version of the IDA Pro from a fake security company used by Lazarus named SecuriElite due to the high cost of the legitimate application.[4] Lazarus very likely targets individual researchers in their cyberattacks due to the decreased security that individuals employ. The malicious IDA Pro application triggered the downloading of the Remote Access Trojans (RAT) which gave Lazarus access to the researchers’ system and files.[5] Lazarus will almost certainly be able to steal sensitive information that can be held at ransom through the use of RATs. Through the use of cloud connectivity, which is very likely used by individuals, hackers using RATs are very likely to be able to attack multiple systems. Despite detecting the malware in the IDA Pro software, Lazarus could very likely succeed in stealing sensitive information from its targets if the released trojan was not entirely removed from the systems.
Lazarus used fake Twitter and LinkedIn accounts and lured people to download the malicious version of IDA Pro.[6] The RAT used was NukeSped which has been used by Lazarus before.[7] The RAT is a trojan virus that releases into the system once a component of the IDA Pro software is downloaded.[8] When the targets downloaded the pirated version of the software, the RAT was almost certainly released through backdoor channels of the computer’s system to begin infiltration methods. With the release of the trojan, Lazarus could very likely have infiltrated the system, stolen sensitive information with the RAT malware, and inserted other malicious code to jump through connected cloud networks. The ability to attack other networks through cloud connections will almost certainly produce more vulnerabilities in the system because there are more access points to manage the entry of malicious code.
As NukeSped RAT enters the systems, Lazarus can remotely steal sensitive information for financial gain.[9] If hackers can attain company or employee data through the RAT, it will almost certainly pose a threat to the company’s assets because hackers could very likely hold it for ransom. The ransom could pose a financial strain on the company or the individuals targeted. Holding company data almost certainly compromises the security of the enterprise and its projects, along with the security of employees’ personal information. With personal information stolen, money laundering or fraudulent activity can very likely arise through the use of addresses or social security numbers. Paying a ransom to retrieve the data will likely impede the company’s operations due to a potential decrease in employee resources as a result of the cyberattacks.
Independent researchers are likely to be the most vulnerable targets because companies cannot download pirated software due to the risk of lawsuits or fines.[10] Individual contractors can download anything at their disclosure when performing work on a personal computer.[11] Targeting individuals is very likely a specific technique for the group to carry out successful cyberattacks to try and produce financial gain if the hackers can obtain data to hold for ransom. Individual security researchers cannot continually check their systems for flaws and are likely vulnerable to cyberattacks by hackers. Malware in individuals’ systems will very likely spread to the company network if their accounts containing the pirated application are opened on company computers. If companies that employ independent contractors are unable to manage the irregular traffic and secure their networks, as well as the connections with other business networks, the company's reputation will likely be damaged, due to the company likely being seen as unsecure. Without proper security mechanisms like firewalls and detection and prevention systems, trojan viruses and malicious code can very likely bypass security tools to intrude on the companies’ operations by deleting data file inputs, stealing login credentials, and disabling the system.
Due to the use of cloud connectivity, the intrusion of one system can likely lead to an attack on another. Cloud connection with a Virtual Private Network (VPN) is susceptible to malware and virus attacks, though it is unlikely due to the security VPNs offer.[12] With cloud connectivity, independent researchers likely do not need to use a company computer. Linking to the company network via VPN likely poses implications for the company due to an increase in remote servers accessing the company’s network from multiple locations. With an increase in access points, it is likely that connections to the company network using remote servers will increase, making it difficult to track potentially harmful connections. Companies will likely need to ensure security on their networks that can monitor remote servers and decrease the vulnerabilities that cloud connectivity brings. If an independent researcher has an RAT-infected application, it is likely the hacker can manipulate the trojan remotely to travel the network and connect to the company’s system with the VPN link. Assessing any entryways for attacks in a network using VPNs would very likely decrease the exploitation of vulnerabilities, leading to a decrease in attacks.
Though it has been reported which RAT Lazarus uses for cyberattacks, companies and individuals are advised to implement training and awareness for malware-specific code in application downloads. Malware attacks are very likely to surge as a result of human error and the involvement of social engineering scams. If employees do not understand what scams and malicious code activities can entail, it is almost certain that a breach could occur and risk infiltration of data in the company’s system. It is also recommended that companies’ independent researchers invest and adapt anti-virus software or trojan remover systems to implement in their personal systems. Antivirus software will very likely ensure the detection of malicious traffic in the system to prevent the breach of the network in a future attack. Using brand-name IDA software will very likely ensure a decrease in the chance of embedded malicious code to avoid the vulnerabilities of pirated versions.
The Counterterrorism Group (CTG) and Counterintelligence and Cyber (CICYBER) Team will continue to monitor and assess the Lazarus APT group and its development with targeting cybersecurity researchers and other organizations utilizing RATs. The CICYBER Team will continue to monitor the use of the NukeSped RAT malware and trojan infections, as the use of these materials is very likely to be associated with Lazarus. Collaboration with the PACOM Team will allow for monitoring of the APT groups associated with the North Korean government that could likely pose security concerns for potential target countries. The CTG’s Worldwide Analysis of Threats, Crime, and Hazards (W.A.T.C.H.) Officers will remain vigilant to cyber threats generated from North Korea and those associated with Lazarus and their aliases by monitoring global events 24/7 and producing relevant reports.
The Counterterrorism Group (CTG) is a subdivision of the global consulting firm Paladin 7. CTG has a developed business acumen that proactively identifies and counteracts the threat of terrorism through intelligence and investigative products. Business development resources can now be accessed via the Counter Threat Center (CTC), emerging Fall 2021. The CTG produces W.A.T.C.H resources using daily threat intelligence, also designed to complement CTG specialty reports which utilize analytical and scenario-based planning. Innovation must accommodate political, financial, and cyber threats to maintain a level of business continuity, regardless of unplanned incidents that may take critical systems offline. To find out more about our products and services visit us at counterterrorismgroup.com.
________________________________________________________________________ The Counterterrorism Group (CTG)
[1] “Lazarus Integrated Development Environment” by WikiMedia Commons licensed under Creative Commons
[2] North Korean Hackers Target Cybersecurity Researchers with Trojanized IDA Pro, The Hacker News, November 2021, https://thehackernews.com/2021/11/north-korean-hackers-target.html
[3] Lazarus hackers target researchers with trojanized IDA Pro | #microsoft | #hacking | #cybersecurity, National Cyber Security News Today, November 2021, https://nationalcybersecuritynews.today/lazarus-hackers-target-researchers-with-trojanized-ida-pro-microsoft-hacking-cybersecurity/
[4] North Korean Hackers Target Cybersecurity Researchers with Trojanized IDA Pro, The Hacker News, November 2021, https://thehackernews.com/2021/11/north-korean-hackers-target.html
[5] Ibid
[6] Ibid
[7] Lazarus hackers target security researchers with malicious IDA Pro installer, CybersecurityHelp, November 2021, https://www.cybersecurity-help.cz/blog/2408.html
[8] Ibid
[9] Ibid
[10] How to Report a Company That Uses Pirated Software, Chron, 2021, https://smallbusiness.chron.com/report-company-uses-pirated-software-29308.html
[11] Ibid
[12] Can Ransomware Attacks Be Prevented with a VPN?, GTSC Homeland Security, December 2018, https://www.hstoday.us/subject-matter-areas/cybersecurity/can-ransomware-attacks-be-prevented-with-a-vpn/