For years, North Korea’s Lazarus Group hackers have plundered and pillaged the global internet, scamming and infecting digital devices around the world for espionage, profit, and sabotage. One of their weapons of choice: a so-called loader that allows them to clandestinely run a diverse array of malware on targeted Macs with hardly a trace. But Lazarus didn’t create the loader on its own. The group seems to have found it laying around online, and repurposed it to elevate their attacks.
The reality of malware reuse is well established. The NSA reportedly reuses malware, as do state sponsored hackers from China, Russia, North Korea, and elsewhere. But at the RSA security conference in San Francisco on Tuesday, former National Security Agency analyst and Jamf researcher Patrick Wardle will show a particularly impactful example of how ubiquitous and extensive malware reuse really is, even on Macs—and how vital it is to take the threat seriously.
“You take malware that someone else has created, analyze it, and then reconfigure it so you can redeploy it,” Wardle says. “Why would you develop something new when three-letter agencies and other groups are creating just incredible malware that’s fully featured, fully tested, and a lot of times has even already been tested in the wild.”
“The Lazarus Group programmers either googled this or saw the presentation about it.”
Patrick Wardle, Jamf
Researchers saw Lazarus Group using early iterations of the loader in 2016 and 2018, and the tool has continued to evolve and mature. Once Lazarus tricks a victim into installing the loader—typically through phishing or another scam—it beacons out to the attacker’s server. The server responds by sending encrypted software for the loader to decrypt and run.
The loader Wardle examined is especially appealing, because it is designed to run whatever “payload,” or malware, it receives directly in a computer’s random access memory, rather than installing it on the hard drive. Known as a fileless malware attack, this makes it much harder to detect an intrusion or investigate an incident later, because the malware doesn’t leave records of having ever been installed on the system. And Wardle points out that the loader, a “first stage” attack tool, is payload-agnostic, meaning you can use it to run whatever type of “second stage” attack you want on a target’s system. But Lazarus didn’t come up with all these impressive tricks itself.
“All the code that implements the in-memory loader was actually grabbed from a Cylance blog post and GitHub project where they released some open source code as part of research,” Wardle says. Cylance is an antivirus firm that also conducts threat research. “When I was analyzing the Lazarus Group loader I found basically an exact match. It’s interesting that the Lazarus Group programmers either googled this or saw the presentation about it at the Infiltrate conference in 2017 or something.”
This reuse illustrates the benefits to attackers of recycling sophisticated malware tools—whether they come from intelligence agencies or open source research. The stolen Windows hacking tool EternalBlue developed by the NSA and then stolen and leaked in 2017 has infamously been used by virtually every hacking group out there, from China and Russia to criminal syndicates. But while recycling is a widely known hacker practice, Wardle points out that just knowing about it abstractly isn’t enough. He argues that security professionals need to meaningfully focus on the mechanics of the process so they can overcome the shortcomings of existing protections and malware detection methods.
Take signature-based defenses, which work by essentially fingerprinting malicious programs and adding that identifier to a blacklist. Regular antivirus and malware scanning tools that rely on signatures generally fail to flag reused malware, because even the minor tweaks a new attacker makes change the program’s “signature.”