Lazarus Group is one of the most notorious APT actors nowadays. The infamous attacks by the group include cyber-sabotage against Sony Picture Entertainment, and cyber-heists leveraging fraudulent SWIFT payment messages from banks in Bangladesh, Southeast Asia and Africa. The group intensified its efforts in 2017 and kept up the pace at the turn of the year. The attribution of the new cases was determined by observing similarities with previously resolved cases: specific chunks of code, unique data and network infrastructure. We summarize the crucial links that played a role in these major cases from the perspective of malware researchers. Moreover, the links are backed with evidence provided by the FBI investigators in the recently published criminal complaint by US’ Department of Justice that sets conspiracy charges on people behind the attacks.

There are several static features that vary between the instances: dynamic WINAPI resolving and the obfuscation of procedure names, the form of self-delete batches, the list of domains leveraged for fake TLS communication, the formatting strings included in TCP backdoors, etc. The variety is so huge, that it suggests that the Lazarus group may be split into multiple, independent, code-sharing cells. We support the idea by exploring the undocumented PE Rich Headers metadata which proves there are various building environments producing the malicious binaries simultaneously.

There are several instances from the Lazarus toolset that have not been publicly reported: The very first iteration of WannaCry from 2016, in-the-wild experimenting with the malicious Java downloaders targeting multiple platforms, the use of a custom malware packer, the presence of strange artifacts like Chinese language or South Korean cultural references. Moreover, we will present details about an act of cyber sabotage against an online casino in Central America from late 2017, that shared interesting links to other recent attacks against financial institutions.