U.S. Cyber Command warns of North Korea-linked Lazarus Group malware

Written by

Malicious software samples uploaded by U.S. Cyber Command to VirusTotal on Wednesday are associated with campaigns from Lazarus Group, an advanced persistent threat group linked with North Korea, two cybersecurity researchers told CyberScoop.

Lazarus is an umbrella name that typically describes hacking activity which advances Pyongyang’s interests. The group is especially known for its financial motivations, such as abusing the Society for Worldwide Interbank Financial Telecommunication (SWIFT) monetary transfer system and for hacking banks, according to Adam Meyers, vice president of intelligence at CrowdStrike. The instance Wednesday marks the second time in as many months Cyber Command added malware details to the VirusTotal security repository as part of an information sharing effort with the private sector.

Researchers from cybersecurity firms Symantec and CrowdStrike said they have seen the two malware samples in this case (available here and here) associated with Lazarus Group. The technical capabilities of the malware strains were not immediately clear.

The last samples Cyber Command shared were linked with Iran, as CyberScoop previously reported.

Lazarus Group often uses password-protected executables and secure deletion functions to conceal its nefarious activity from victims, according to Meyers, of CrowdStrike.

Cyber Command would not comment on attribution, as has been its standard practice with VirusTotal releases.

“The Cyber National Mission Force is releasing malware as part of the U.S. Cyber Command persistent engagement methodology,” a spokesperson told CyberScoop. “Recognizing the value of collaboration with the cybersecurity industry and public sector, the [Cyber National Mission Force] is continuing to share malware samples it believes will have the greatest impact on improving global security.”

This update also comes as the federal government’s wider information sharing program is maturing. In the last VirusTotal release, Cyber Command gave advance warning of the release to the Department of Homeland Security, which also included the private sector, as CyberScoop first reported.

Some of Lazarus Group’s activity has stemmed from sanctions slapped on North Korea, which have starved Kim Jong-un’s government of financial resources, Meyers notes. The Lazarus Group targeted SWIFT after sanctions banned North Korea from that international financial network in 2017, for instance.

A leaked United Nations report recently sent to the U.N. Security Council’s North Korea sanctions committee says Pyongyang has used 35 cyberattacks to steal $2 billion to fund its weapons programs. The regime “used cyber-space to launch increasingly sophisticated attacks to steal funds from financial institutions and cryptocurrency exchanges to generate income,” the report’s authors wrote, according to the BBC.

This Cyber Command release comes just days after North Korea claims it launched a new kind of short-range ballistic missile in violation of United Nations resolutions. It’s the third instance of the regime claiming to have tested a new ballistic missile or rocket system in the last month, according to the New York Times.