Lazarus Group hackers have long plagued the internet—using at least one tool they picked up just by looking around online.
For years, North Korea’s Lazarus Group hackers have plundered and pillaged the global internet, scamming and infecting digital devices around the world for espionage, profit, and sabotage. One of their weapons of choice: a so-called loader that allows them to clandestinely run a diverse array of malware on targeted Macs with hardly a trace. But Lazarus didn’t create the loader on its own. The group seems to have found it laying around online, and repurposed it to elevate their attacks.
The reality of malware reuse is well established. The NSA reportedly reuses malware, as do state-sponsored hackers from China, North Korea, Russia, and elsewhere. But at the RSA security conference in San Francisco on Tuesday, former National Security Agency analyst and Jamf researcher Patrick Wardle will show a particularly compelling example of how ubiquitous and extensive malware reuse really is, even on Macs—and how vital it is to take the threat seriously.
“You take malware that someone else has created, analyze it, and then reconfigure it so you can redeploy it,” Wardle says. “Why would you develop something new when three-letter agencies and other groups are creating just incredible malware that’s fully featured, fully tested, and a lot of times has even already been tested in the wild?”
Researchers saw Lazarus Group using early iterations of the loader in 2016 and 2018, and the tool has continued to evolve and mature. Once Lazarus tricks a victim into installing the loader—typically through phishing or another scam—it beacons out to the attacker’s server. The server responds by sending encrypted software for the loader to decrypt and run.
The loader Wardle examined is especially appealing, because it is designed to run whatever “payload,” or malware, it receives directly in a computer’s random access memory, rather than installing it on the hard drive. Known as a fileless malware attack, this makes it much harder to detect an intrusion or investigate an incident later, because the malware doesn’t leave records of having ever been installed on the system. And Wardle points out that the loader, a “first stage” attack tool, is payload-agnostic, meaning you can use it to run whatever type of “second stage” attack you want on a target’s system. But Lazarus didn’t come up with all these impressive tricks itself.
“All the code that implements the in-memory loader was actually grabbed from a Cylance blog post and GitHub project where they released some open source code as part of research,” Wardle says. Cylance is an antivirus firm that also conducts threat research. “When I was analyzing the Lazarus Group loader I found basically an exact match. It’s interesting that the Lazarus Group programmers either Googled this or saw the presentation about it at the Infiltrate conference in 2017 or something.”
This reuse illustrates the benefits to attackers of recycling sophisticated malware tools—whether they come from intelligence agencies or open source research. The stolen Windows hacking tool EternalBlue developed by the NSA and then stolen and leaked in 2017 has infamously been used by virtually every hacking group out there, from China and Russia to criminal syndicates. But while recycling is a widely known hacker practice, Wardle points out that just knowing about it abstractly isn’t enough. He argues that security professionals need to meaningfully focus on the mechanics of the process so they can overcome the shortcomings of existing protections and malware detection methods.
Take signature-based defenses, which work by essentially fingerprinting malicious programs and adding that identifier to a blacklist. Regular antivirus and malware scanning tools that rely on signatures generally fail to flag reused malware, because even the minor tweaks a new attacker makes change the program’s “signature.”
Malware is typically set up to check in over the internet with a remote server—a so-called “command and control server”—to find out what to do next. In some cases, attackers have to extensively overhaul found malware to reuse it, but often, as is the case with the Lazarus loader, they can simply make small tweaks like changing the command and control address to point to their own server rather than the original developer’s. Recyclers still need to do enough analysis to ensure that the malware’s authors haven’t designed a way for the malware to fall back to the original control server, but once they’re sure they’ve scrubbed the previous owners, they can assume full control.
“This is why I think behavior-based detection is so important,” says Wardle, who presented novel techniques for behavior-based detection on macOS at RSA last year. “From a behavior point of view, repurposed malware looks and acts exactly the same as its predecessor. So we need to motivate the security tools community to step further and further away from signature-based detection, because it’s unacceptable that if you redeploy malware it can go undetected. Repurposed malware should not pose any additional threats.”
Recycled malware also has the potential to muddy attribution, as Russia’s elite hackers know all to well. If a certain actor develops a trademark malware, it can be easy to assume that all activity employing that tool comes from the same group.
That anonymity is obviously a benefit for attackers, though, and one of many that come with malware reuse. That’s why Wardle emphasizes the need to keep a close eye on such recycling over time.
“The Lazarus Group first-stage loader to me seems like the perfect case study,” Wardle says. “It drives home the point that with the ability to repurpose samples, the average hacker can weaponize advanced malware for their own goals—and signature-based detection is not going to catch it.”