Lazarus Group

Lazarus Group is a threat group that has been attributed to the North Korean government. The group has been active since at least 2009, and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of the campaign Operation Blockbuster, which was named by Novetta.

Malware used by Lazarus Group has correlated to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. In late 2017, Lazarus Group used the disk-wiping tool KillDisk in an attack against an online casino based in Central America.

North Korean group definitions have significant overlap, and the name Lazarus Group encompasses a broad range of activity. Some organizations use Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups, such as Bluenoroff, APT37, and APT38 separately, while other organizations track some activity associated with those groups as Lazarus Group.

Other names for this threat

Andariel, Appleworm, APT-C-26, APT38, Bluenoroff, Bureau 121, COVELLITE, Dark Seoul, GOP, Group 77, Guardian of Peace, Guardians of Peace, Hastati Group, HIDDEN COBRA, Labyrinth Chollima, Lazarus, NewRomantic Cyber Army Team, NICKEL ACADEMY, Operation AppleJesus, Operation DarkSeoul, Operation GhostSecret, Operation Troy, Silent Chollima, Subgroup: Andariel, Subgroup: Bluenoroff, Unit 121, Whois Hacking Team, WHOis Team, ZINC

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.