Lazarus experiments with new ransomware

The Lazarus group has always stood out for using methods typical of APT attacks but specializing in financial cybercrime. Recently, our experts detected fresh, previously unexplored VHD malware, which Lazarus seems to be experimenting with.

Functionally, VHD is a fairly standard ransomware tool. It creeps through the drives connected to a victim’s computer, encrypts files, and deletes all System Volume Information folders (thereby sabotaging System Restore attempts in Windows). What’s more, it can suspend processes that could potentially protect important files from modification (such as Microsoft Exchange or SQL Server).

But what’s really interesting is how VHD gets onto target computers, because its delivery mechanisms have more in common with APT attacks. Our experts recently investigated a couple of VHD cases, analyzing the attackers’ actions in each.

Lateral movement through the victim’s network

In the first incident, our experts’ attention was drawn to the malicious code responsible for spreading VHD over the target network. It turned out that the ransomware had at its disposal lists of IP addresses of the victim’s computers, as well as credentials for accounts with admin rights. It used that data for brute-force attacks on the SMB service. If the malware managed to connect using the SMB protocol to the network folder of another computer, it copied and executed itself, encrypting that machine also.

Such behavior is not very typical of mass ransomware. It suggests at least a preliminary reconnaissance of the victim’s infrastructure, which is more characteristic of APT campaigns.

Chain of infection

The next time our Global Emergency Response Team encountered this ransomware during an investigation, the researchers were able to trace the entire infection chain. As they reported, the cybercriminals:

1. Gained access to victims’ systems by exploiting a vulnerable VPN gateway;
2. Obtained admin rights on the compromised machines;
3. Installed a backdoor;
4. Seized control of the Active Directory server;
5. Infected all computers on the network with the VHD ransomware using a loader specially written for the task.

Further analysis of the tools employed showed the backdoor to be part of the multiplatform MATA framework (which some of our colleagues call Dacls). We’ve concluded that it’s another Lazarus tool.

You’ll find a detailed technical analysis of these tools, together with indicators of compromise, in the relevant article on our Securelist blog.

How to protect your company

The VHD ransomware actors are clearly a cut above average when it comes to infecting corporate computers with a cryptor. The malware is not generally available on hacker forums; rather, it’s specifically developed for targeted attacks. The techniques used to penetrate the victim’s infrastructure and propagate within the network recall sophisticated APT attacks.

This gradual blurring of the boundaries between financial cybercrime tools and APT attacks is proof that even smaller companies need to consider using more advanced security technologies. With that in mind, we recently unveiled an integrated solution with both Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) functionality. You can find out more about the solution on its dedicated page.