Intercept the Adversary: Lazarus Group – Operation In(ter)ception

Operation In(ter)ception reveals Lazarus Group's 2019 cyber campaign targeting military and aerospace organizations in Europe and the Middle East. Delve into the attacker's tactics on LinkedIn, their covert infiltration methods, and the complexities of their persistence strategies. Discover how AttackIQ Flex can empower your organization to fortify their defenses against such sophisticated threats through the use of agentless emulation testing. Read More

Introduction

Stemming from the Latin roots “inter” meaning “between” or “among,” and “cept” denoting “to take” or “to seize,” interception encapsulates the act of seizing or capturing something passing between entities. Specifically, in cybersecurity, interception refers to capturing or diverting communications or data between parties. This interception serves multifaceted purposes, including surveillance, analysis, and ensuring security measures. As we delve into the intricacies of Operation In(ter)ception, a targeted cyber onslaught in 2019 orchestrated by Lazarus Group, understanding the nuances of interception becomes paramount.

Attacker Tools and Techniques

At the heart of Operation In(ter)ception lies a web of deception meticulously spun by the Lazarus Group, employing social engineering tactics to lure unsuspecting victims into their trap. Leveraging LinkedIn, attackers disguised themselves as reputable HR representatives from esteemed industry players like Collins Aerospace and General Dynamics, dangled enticing, yet fabricated job offers. Through LinkedIn messaging or email links, malicious files, camouflaged as job-related documents, were clandestinely delivered to unsuspecting victims. The deployment of password-protected RAR archives housing LNK files marked the inception of a covert infiltration strategy.

The attack narrative unfolds with the deployment of a malicious LNK file, cleverly disguised to mimic legitimate processes, thereby bypassing conventional defenses. From there, the attackers pivot towards securing persistence through a series of nefarious maneuvers, including the execution of remote XSL scripts and the establishment of new services within the system architecture. The intricate dance continues as the attackers employ various techniques, from executing DLLs through RunDLL32 to leveraging Living-off-the-Land tactics, exploiting legitimate tools and operating system functions to obfuscate their malicious activities.

The complexity of Operation In(ter)ception extends beyond its initial infiltration, encompassing a spectrum of sophisticated techniques aimed at maintaining a stealthy presence while exfiltrating valuable information to adversary infrastructure. To achieve this, Lazarus Group’s playbook includes a diverse array of tactics, ranging from masquerading and renaming system utilities to orchestrating system information discovery scripts and staging data for extraction.

Operation In(ter)ception AttackIQ Flex Package

In response to such sophisticated threats as Operation In(ter)ception, AttackIQ Flex users now have access to a comprehensive testing package designed to evaluate and strengthen their security defenses. By emulating real-world attack scenarios and providing actionable insights, AttackIQ Flex empowers organizations to proactively identify and mitigate vulnerabilities within their infrastructure, reducing the risk of successful cyberattacks.

Scenarios Included in Flex Package:

  • System Information Discovery Script
  • Masquerading and Renaming System Utilities
  • XSL Script Processing Through WMI
  • New Service
  • Execute DLL Through RegSvr32
  • Download 2019-10 Operation In(ter)ception Second Stage Backdoor to Memory
  • Lazarus Group’s Operation In(ter)ception Initial C2 Request using HTTP GET
  • Download 2019-11 Operation In(ter)ception First Stage Downloader to Memory
  • Save 2020-02 Lazarus Group Operation In(ter)ception Malicious LNK File to File System
  • Save 2019-10 Operation In(ter)ception Second Stage Backdoor to File System
  • Save 2019-11 Operation In(ter)ception First Stage Downloader to File System
  • Execute DLL Through RunDLL32
  • Data Staged Script
  • System Network Connections Discovery
  • Persistence Through Scheduled Task
  • Download 2020-02 Lazarus Group Operation In(ter)ception Malicious LNK File to Memory

Conclusion

In(ter)ception stands as a testament to the evolving threat landscape and a timeless axiom, encapsulating the art of seizing or capturing entities traversing between. In an era defined by interconnectivity, vigilance remains our strongest armor against the shadowy machinations of cyber adversaries. Sign up for AttackIQ Flex today and reap the benefits of agentless testing as a service!