Disrupt gang activity “Lazarus” E in Saudi Arabia

Feb

28

2016

Company said Kaspersky Lab she managed in collaboration with other partners in the technology sector of the disabled Activity gang “Lazarus” – a group of malware responsible for the attacks to destroy the data and carry out traditional e – espionage targeting multiple companies around the world, including Saudi Arabia. It is believed that the attackers were those who were behind the attack on the company , “Sony Pictures Entertainment” in the year 2014, and the process DarkSeoul targeting media companies and financial institutions in 2013.

After the devastating attack on the well – known film production company , “Sony Pictures Entertainment” in 2014, the global research and analysis team at Kaspersky Lab began the investigation of samples of malicious code , “Zovr” notorious for this name used in the attack. That led to more extensive research in a range of malicious campaigns related electronic spying and sabotage that targeted financial institutions and stations broadcast media and manufacturing companies and others.

By comparing the common characteristics between different malware families, managed to Kaspersky Lab experts to gather together the results of an analysis of dozens of isolated attacks and concluded in the end that all of these attacks date back to just one threat factor, according to what was confirmed by other participants in the Operation Blockbuster process through their own analysis.

It turns out that the gang of “Lazarus” e was active for many years prior to the incident , the attack on the “Sony Pictures Entertainment”, and it seems that they are still active until now. Kaspersky Lab research and other analyzes of the participants in Operation Blockbuster process have confirmed that there is a relationship between the software malware used in various campaigns, such as the campaign Operation DarkSeoul against banks and broadcast media, as well as campaign Operation Troy directed against the armed forces in South Korea and the incident , “Sony Pictures “.

During the investigation, Bagesoa Kaspersky Lab sharing preliminary findings with their counterparts from AlienVault company. In the end, researchers from both companies decided to unite their efforts to conduct a joint investigation. At the same time, the investigation of gang activity “Lazarus” electronic being in full swing by many other companies with the participation of specialists in security affairs. And it launched one of these companies , a Novetta initiative designed to disseminate intelligence information and are subject to a comprehensive Implementation about the activity of the gang of “Lazarus” e. As part of Operation Blockbuster process, managed Kaspersky Lab in collaboration with Novetta and AlienVault Labs and other partners in the sector to publish its findings for the benefit of a wider audience.

Through multiple samples of malicious programs that have been monitored in cases of different security breach letter analysis and creation of a special follow rules, managed Kaspersky Lab and AlienVault Labs and other companies specializing participate in Operation Blockbuster process to identify the number of attacks by the gang of “Lazarus” e.

It has been reached on the relationship between multiple samples from emerging attacks from one gang during the analysis methods used by the electronic gang. In particular, it was noted that the attackers are reconstructing the use of encryption codes effectively, through the metaphor of parts of the encryption code belongs to a malicious software to be used in another encryption code.

In addition, researchers were able to discover the similarities in the modus operandi of the attackers. During the track and analyze the effects of various electronic attacks, the researchers found that all the (Droppers) – a special files used to install different types of loads data the (payload) of malignant – retains its capacities of the (payloads) in compressed archives (ZIP) is password protected. The Archive word used in the passage of different campaigns are the same as has been encrypted into the (dropper). It was the application of security protection for the password in order to prevent automated systems from the extraction and analysis of the data payloads (payload), but it is in fact provided a great help to researchers led them to finally identify the electronic gang.

A special way criminals use to remove any trace of their presence in infected systems, along with some other techniques that they used to evade detection by anti – virus products, which allowed researchers to additional means helped them discover related attacks. In the end, it was noted that dozens of targeted attacks, which he considered those who stand behind them as faceless, was gang linked to an electronic one.

Cumulative analysis of the samples has shown that the dates are likely to have been made ​​the first analysis of cumulative malware samples in 2009, five years after the devastating attack on the “Sonny” before. Increasing the number of new samples dynamically has been observed since 2010. This is what makes the gang of “Lazarus” electronic stable and long – term threat factor. Based on the extracted definition of the samples under investigation data, it was noted that he was most of the malicious software used to collect by a gang of “Lazarus” electronic apparently during the official working hours in chronological time zones, ie GMT (+8) and (+9 ) GMT.

Said Juan Guerrero, a security researcher at Kaspersky Lab first, “exactly as we had expected, witness the number of attacks aimed at erasing of data growing steadily. This breed of malware and constitutes a form of e – destructive weapons. The ability to scan thousands of computers with a single click represents a big bonus for any professional team to penetrate the computer networks of misleading costly and disabling the target company. The value of this kind of attacks that fall as part of the concept of hybrid war, where the associated data scanning attacks with dynamic attacks to disrupt the infrastructure of nations, is still interesting virtual experience but it is closer to reality, which is not satisfactory. We are proud of our association with our partners in the sector to put obstacles in the face of these electronic gang fierce and ready to harness these destructive techniques in order to achieve malicious purposes. ”

He noted Jamie Blasco, chief scientist at the company AlienVault by saying, “This gang has all the necessary skills , and to insist on the implementation of espionage – mail campaigns in order to steal data or cause damage to . Combining these skills with the use of misinformation and deception techniques, attackers managed to launch several malicious successful campaigns over the past few years. “He added,” shows Operation Blockbuster process of how to exchange information at the sector level and cooperation among the partners an active role in achieving remarkable progress in terms of prevent hackers continue to launch electronic attacks malicious. ”

He said Andre Ludwig, artistic director first company Novetta Threat Research and Interdiction Group: “Operation Blockbuster process has made ​​it possible for each of Novetta and Kaspersky Lab and our partners to continue to unite their efforts to establish a methodology to disable malicious attacks by global electronic bands prominent in an attempt to hinder their efforts to inflict further harm their victims. “he added,” the level of in- depth technical analysis carried out in the framework of operation Blockbuster process is a rare thing indeed, as the exchange of research our results with our partners in the sector to achieve public benefit by increasing the level of awareness about it, is something even rarer , too. ”

Viewing:-141

In: Technology & Gadgets Asked By: [15780 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »