Adversary | Lazarus

Updated: Apr 3, 2021


Also Known As

Operation DarkSeoul | Dark Seoul | Hidden Cobra | Hastati Group | Andariel | Unit 121, | Bureau 121 | NewRomanic Cyber Army Team | Bluenoroff | Group 77 | Labyrinth Chollima, Operation Troy | Operation GhostSecret | Operation AppleJeus | APT38 | Stardust Chollima, | Whois Hacking Team | Zinc | Appleworm | Nickel Academy | APT-C-26 | Nickel Gladstone | Covellite

Origin

North Korea

Target Countries

Bangladesh | Brazil | Chile | China | India | Italy | Japan | South Korea | Malaysia | Mexico | Pakistan | Philippines | Poland | Russia | Saudi Arabia | Serbia | Taiwan | Turkey | United Arab Emirates | United States | Uruguay | Vietnam


Targeted Verticals

Retail | Commercial

Financial Services

Government | Military


MITRE TTPs

Access Token Manipulation: Create Process with Token

Account Manipulation

Application Layer Protocol: Web Protocols

Application Window Discovery

Archive Collected Data

Archive via Library

Archive via Custom Method

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Boot or Logon Autostart Execution: Shortcut Modification

Boot or Logon Autostart Execution: Security Support Provider

Brute Force: Password Spraying

Command and Scripting Interpreter: Windows Command Shell

Command and Scripting Interpreter: Visual Basic

Command and Scripting Interpreter: PowerShell

Create or Modify System Process: Windows Service

Data Destruction

Data Encoding: Standard Encoding

Data from Local System

Data Obfuscation: Protocol Impersonation

Data Staged: Local Data Staging

Defacement: Internal Defacement

Disk Wipe: Disk Structure Wipe

Disk Wipe: Disk Content Wipe

Drive-by Compromise

Encrypted Channel: Symmetric Cryptography

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over C2 Channel

Exploitation for Client Execution

Fallback Channels

File and Directory Discovery

Hide Artifacts: Hidden Files and Directories

Impair Defenses: Disable or Modify Tools

Impair Defenses: Disable or Modify System Firewall

Indicator Removal on Host: File Deletion

Indicator Removal on Host: Timestomp

Ingress Tool Transfer

Input Capture: Keylogging

Masquerading: Masquerade Task or Service

Modify Registry

Non-Standard Port

Obfuscated Files or Information

Software Packing

OS Credential Dumping: LSASS Memory

Phishing: Spearphishing Attachment

Phishing: Spearphishing via Service

Pre-OS Boot: Bootkit

Process Discovery

Process Injection: Dynamic-link Library Injection

Proxy: External Proxy

Query Registry

Remote Services: Remote Desktop Protocol

Remote Services: SMB/Windows Admin Shares

Resource Hijacking

Service Stop

Signed Binary Proxy Execution: Compiled HTML File

Signed Binary Proxy Execution: Mshta

System Information Discovery

System Network Configuration Discovery

System Owner/User Discovery

System Shutdown/Reboot

System Time Discovery

User Execution: Malicious File

Windows Management Instrumentation

16 views

Related Posts

See All