Recently, the hidden cobra APT threat actors attacked Japanese organizations through obfuscation malware. This malware downloads and administers all the modules, and then it’s saved as a .drv file in a folder like C:¥Windows¥System32¥ and operate as assistance.
Hidden Cobra is also known as Lazarus is a North Korean APT hacker group that has been involved with various high profile cyber-attacks various government and private sectors around the globe since 2009.
It is a method that advances textual and binary data tough to concede, and it benefits the threat actors to hide all critical strings; It is a program that exhibits patterns of malware’s behavior. Such type of strings would be signed as keys and infected URLs. While in this case, the threat actors used VMProtect to obfuscate the service.
In this type of malware, the adversaries use encryption/encoding methods to hide all the data from the security programs. And in some cases, the advisories go a step further and practices some special tools named “packers” to obfuscate the whole program, which makes backward planning and interpretation much more complicated.
Where configuration stored?
The configuration of this malware (size: 0x6DE) is encrypted and collected in a registry record and arranged when performed. In this analysis, it was confirmed that the configuration is collected at the resulting directory:-
Acccording to the jpcert report , All the strings in the malware are encrypted along with AES128, and that’s why the encryption key is hardcoded in this type of malware. Moreover, the Windows API title is also AES-encrypted. Later, when it decrypts the API strings, the address for the APIs that are named by LoadLibrary and GetProcAddress are determined.
C&C server communication
From the below image, you can see the proper chain of communication from the initial point of its communication with a C&C server until it’s downloading a module.
When the module gets downloaded, then it performs some main functions just as obtaining commands from C&C servers; And there are seven operations are performed by the module that are mentioned below:-
- Operation on files (create a list, delete, copy, modify time created)
- Operation on processes (create a list, execute, kill)
- Upload/download files
- Create and upload a ZIP file of an arbitrary directory
- Execute arbitrary shell command
- Obtain disk information
- Modify system time
Apart from this, the security experts are still investigating the activities that are performed by Lazarus, and many different organizations who have proclaimed it. The experts also claimed that this type of attack are perceived in multiple countries. If it doesn’t get a fix soon, then this kind of similar attack will occur again in Japan.
Finally, attackers spread the infection and leveraging account information with help of the Python tool “SMBMAP” which allows access to the remote host via SMB after converting it as a Windows PE file with Pyinstaller.