The links between the WannaCry ransomware and the Lazarus group, which is believed to be responsible for several high-profile attacks, are deeper and more substantial than previously thought, according to new evidence unearthed by security researchers.
The Lazarus group is a hacking team tied to North Korea that researchers have linked to a number of major intrusions, including the attack on the Bank of Bangladesh and the Sony Pictures Entertainment hack. Last week, researchers at Kaspersky Lab, who have studied the Lazarus group closely, said that the WannaCry ransomware had strong technical links to Lazarus. There are a number of code artifacts shared between tools used by the Lazarus group and WannaCry, and researchers at Symantec have published new details that show the ransomware campaign has several other technical links to the Lazarus group’s operations, too.
The first attacks involving WannaCry emerged in February, with others following in March and April. But those were highly targeted and didn’t use the exploit code and worm-likes reading mechanism that the current version does. The code in the ransomware is virtually identical, but the tactics are different.
“Analysis of these early WannaCry attacks by Symantec’s Security Response Team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry. Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign,” Symantec researchers said in a post analyzing the links.
“The first evidence Symantec has seen of WannaCry being used in the wild was February 10, 2017, when a single organization was compromised. Within two minutes of the initial infection, more than 100 computers in the organization were infected. The attackers left behind several tools on the victim’s network that provided substantial evidence into how WannaCry spread. Two files, mks.exe and hptasks.exe (see Appendix C: Indicators of Compromise), were found on one affected computer. The file mks.exe is a variant of Mimikatz, a password-dumping tool that is widely used in targeted attacks. The latter file, hptasks.exe, was used to then copy and execute WannaCry on other network computers using the passwords stolen by mks.exe.”
The earlier WannaCry attacks also employed a pair of Trojans, known as Alphanc and Bravonc, that were used to drop the ransomware on compromised PCs. Alphanc is closely related to a variant of the Destover backdoor that was used in the attack on Sony Pictures Entertainment in 2014, and Bravonc uses an IP address for a command-and-control server that also has been used by the Duuzer variant of Destover.
“Aside from commonalities in the tools used to spread WannaCry, there are also a number of links between WannaCry itself and Lazarus. The ransomware shares some code with Backdoor.Contopee, malware that has previously been linked to Lazarus. One variant of Contopee uses a custom SSL implementation, with an identical cipher suite, which is also used by WannaCry. The cipher suite in both samples has the same set of 75 different ciphers to choose from,” Symantec said.
Image: Tim Green, CC by license.