The Lazarus hacker group has launched numerous disruptive campaigns against notable companies over the past few years. Reportedly backed by the North Korean regime, it is presently categorized as an advanced persistent threat by a collective of nations for its cybercriminal activities which have led to over a billion dollars in losses.
That said, a new report compiled by cybersecurity researcher Shusei Tomonaga shines a light on the unit’s most formidable hacking techniques. Many of them have been used in the group’s most recent campaign against Japanese firms. The report notes the use of the VSingle HTTP bot as a primary vector. The code is stealthily executed to initially embed itself onto a system and download obfuscation and exploitation software. Some versions of the bot also undertake DLL injection to hide their activity.
The Lazarus group also makes use of ValeforBeta, which works similarly to VSingle to transmit system information, send and download files. After successful infection of primary system processes, 3Proxy, Stunnel, and Plink tools are deployed to maintain a connection with the system, carry out mass analysis of infected devices, and allow control of vital resources.