Lazarus Group Uses the DLL Side-Loading Technique (2)

by Prapattimynk, Tuesday, 23 January 2024 (1 month ago)
Lazarus Group Uses the DLL Side-Loading Technique (2)


Through the “Lazarus Group Uses the DLL Side-Loading Technique” [1] blog post, AhnLab SEcurity intelligence Center(ASEC) has previously covered how the Lazarus group used the DLL side-loading attack technique using legitimate applications in the initial access stage to achieve the next stage of their attack process. This blog post will cover the added DLL variants and their verification routine for the targets.

The Lazarus group is an APT group that targets South Korean companies, institutions, think tanks, and others. On January 12, 2024, a new legitimate program for DLL side-loading (T1574.002 Hijack Execution Flow: DLL side-loading), a technique commonly used by the Lazarus group to execute malware, was discovered through AhnLab Smart Defense (ASD).

The threat actor typically uses the DLL side-loading technique in the initial access and malware execution stages. This method saves a legitimate application and a malicious DLL in the same folder path so that the malicious DLL is also executed when the application is run. In other words, it is a malware execution technique that allows the malicious DLL to be executed first by changing its name to the filename of the legitimate DLL located in a different path that the legitimate program refers to.

The newly discovered legitimate program is called “wmiapsrv.exe”. The wmiapsrv.exe program is a legitimate MS module that loads “wbemcomn.dll”, which is used to load the modified malicious wbemcomn.dll. Additionally, another modified malicious DLL within the same path called “netutils.dll” was discovered. The created wbemcomn.dll and netutils.dll perform as backdoors.

1. wbemcomn.dll

wbemcomn.dll has a verification routine for the targets. The result value of the GetSystemFirmwareTable API call includes unique information from the system, which is used to decrypt the encrypted strings in the resource area of wbemcomn.dll. The file in the path of the decrypted value is then loaded to carry out malicious behaviors. This shows that this is an APT attack attempt that is executed only on specific systems. This is because the file path information cannot be checked when the result of the GetSystemFirmwareTable API call through another system’s information is used for decryption.

Figure 1. A part of the resource area of wbemcomn.dll

2. netutils.dll

Unlike wbemcomn.dll, netutils.dll can load specific files without any decryption verification process. The file path and name are shown below.

  • PDB information – O:DevelopTool_DevLoader7-ZipUtil7zDebug7zDec.pdb
  • Loaded file information – C:ProgramDataMicrosoft Editoreditor.dat
Figure 2. File loaded by netutils.dll

The Lazarus group uses spear phishing, supply chain attacks, and various other attack vectors. This group is very dangerous and is one of the most active attack groups in the world. This type of malware is diagnosed by AhnLab as follows.

[File Detection]
Trojan/Win.LazarLoader.C5572843 (2024.01.12.03)
Trojan/Win.LazarLoader.C5572847 (2024.01.13.00)

[Behavior Detection]
Injection/MDP.Event.M4512
Injection/EDR.Lazarus.M10965

[IOC Info]
edca71eda8650a2c591c37c780b6a0c5
21def97a3c5b95df1e1aeb6486881656

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.