For years, North Korea's Lazarus Group hackers have plundered and pillaged the global internet, scamming and infecting digital devices around the world for espionage, profit, and sabotage. One of their weapons of choice: a so-called loader that allows them to clandestinely run a diverse array of malware on targeted Macs with hardly a trace. But Lazarus didn't create the loader on its own. The group seems to have found it laying around online, and repurposed it to elevate their attacks.
The reality of malware reuse—often known as “living off the land”—is well established. The NSA reportedly reuses malware, as do state sponsored hackers fromChina, Russia, North Korea, and elsewhere. But at the RSA security conference in San Francisco on Tuesday, former National Security Agency analyst and Jamf researcher Patrick Wardle will show a particularly impactful example of how ubiquitous and extensive malware reuse really is, even on Macs—and how vital it is to take the threat seriously.
“You take malware that someone else has created, analyze it, and then reconfigure it so you can redeploy it,” Wardle says. “Why would you develop something new when three-letter agencies and other groups are creating just incredible malware that’s fully featured, fully tested, and a lot of times has even already been tested in the wild.”
Researchers saw Lazarus Group using early iterations of the loader in 2016 and 2018 , and the tool has continued to evolve and mature . Once Lazarus tricks a victim into installing the loader—typically through phishing or another scam—it beacons out to the attacker's server. The server responds by sending encrypted software for the loader to decrypt and run.
The loader Wardle examined is especially appealing, because it is designed to run whatever “payload,” or malware, it receives directly in a computer’s random access memory, rather than installing it on the hard drive. Known as a fileless malware attack , this makes it much harder to detect an intrusion or investigate an incident later, because the malware doesn’t leave records of having ever been installed on the system. And Wardle points out that the loader, a “first stage” attack tool, is payload-agnostic, meaning you can use it to run whatever type of “second stage” attack you want on a target’s system. But Lazarus didn't come up with all these impressive tricks itself.
"All the code that implements the in-memory loader was actually grabbed from a Cylance blog post and GitHub project where they released some open source code as part of research," Wardle says. Cylance is an antivirus firm that also conducts threat research. "When I was analyzing the Lazarus Group loader I found basically an exact match. It's interesting that the Lazarus Group programmers either googled this or saw the presentation about it at the Infiltrate conference in 2017 or something."
This reuse illustrates the benefits to attackers of recycling sophisticated malware tools—whether they come from intelligence agencies oropen source research. The stolen Windows hacking tool EternalBlue developed by the NSA and then stolen and leaked in 2017 has infamously been used by virtuallyevery hacking group out there, from China andRussia to criminal syndicates. But while recycling is a widely known hacker practice, Wardle points out that just knowing about it abstractly isn’t enough. He argues that security professionals need to meaningfully focus on the mechanics of the process so they can overcome the shortcomings of existing protections and malware detection methods.
Take signature-based defenses, which work by essentially fingerprinting malicious programs and adding that identifier to a blacklist. Regular antivirus and malware scanning tools that rely on signatures generally fail to flag reused malware, because even the minor tweaks a new attacker makes change the program's “signature.”
以上所述就是小编给大家介绍的《North Korea Is Recycling Mac Malware. That's Not the Worst Part》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!
猜你喜欢:
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
