Lazarus Group is a mahjong game that uses different sets of tiles
To read the entire article, please click the link below. For those who don’t want to read the entire article, here is a summary:
virusbulletin/2019/06/vb2018-paper-lazarus-group-mahjong-game-played-different-sets-tiles/#ref25
The Lazarus Group, also known as. Since its establishment in 2009, Hidden Cobra has seen a rapid increase in incidents. In 2017, this notorious group intensified their efforts (e.g. The WannaCryptor virus, the attacks on Mexican banks, the spear-phishing campaign targeting US contractors, and the Android-ported payloads, bitcoin-oriented attacks, and many more. These cases were attributed by looking at similarities to cases that had been resolved previously: specific code chunks, unique data and network infrastructure. We summarize the key links that played a part in these major cases in this paper.
Every attack appears to have modified the source code of the group’s toolset. There are several static features that differ between instances: the dynamic Windows API resolution, the obfuscation procedure and library name names, self-deleting batch file formats, the list domains used for fake TLS communication and the format strings included with TCP backdoors. The use of commercial packers is another example. This is enough to suggest that the Lazarus group could be divided into multiple code-sharing cells. This idea was further explored by our research. We also looked at the undocumented PE Rich Header metadata. This again shows that there are many development environments that produce malicious binaries.
There are also binaries that are not yet publicly reported from the Lazarus toolset. These samples have provided interesting insights to the Lazarus puzzle. They include the very first WannaCryptor iteration from 2016, in-the wild experimentation with malicious Java downloaders targeting multiple platforms and the use of a customized malware packer. We also discovered strange artifacts such as South Korean cultural references or Chinese language. This paper will provide previously unpublished details on the cyber-sabotage attack on an online casino in Central America in late 2017 and the mode of operation of the Lazarus cell behind it.
WannaCryReported cases
Operation Troy and DarkSeoul
Operation Blockbuster: The saga, the sequel, and going mobile
SWIFT attack in Bangladesh
– Mexican and Polish banks
WannaCryptor epidemic
– Bitcoin-oriented attacks
– The Turkish Bankshot

Their attack vectors, and Tooling
– Dynamic resolution for Windows APIs
– TCP backdoors
Fake TLS protocol
Self-deleting batch files
– PE Rich Header metadata
Conclusion
The group is clearly well-organized considering the magnitude of the Lazarus operations and the often severe consequences for their victims even on a global level. The group is still a threat to people all over the world, more than a decade after its first appearance. The group is known for achieving high outcomes with minimal effort. They often reuse already developed proofs of concepts and tools and rarely create anything new. They don’t seem to have one goal. While they may steal to get funds, they could be next to cyber espionage using destructive malware.
In most cases, the attribution was complex and often dependent on fine details. It is hard to believe that all the tools and approaches used are from one environment given the diversity of them. This, along with the PE Rich Header analysis results, leads us believe that multiple code development methods exist