The Lazarus group has always stood out for using methods typical of APT attacks but specializing in financial cybercrime. Recently, our experts detected fresh, previously unexplored VHD malware, which Lazarus seems to be experimenting with.<\/p>\n
Functionally, VHD is a fairly standard ransomware tool. It creeps through the drives connected to a victim\u2019s computer, encrypts files, and deletes all System Volume Information folders (thereby sabotaging System Restore attempts in Windows). What\u2019s more, it can suspend processes that could potentially protect important files from modification (such as Microsoft Exchange or SQL Server).<\/p>\n
But what\u2019s really interesting is how VHD gets onto target computers, because its delivery mechanisms have more in common with APT attacks. Our experts recently investigated a couple of VHD cases, analyzing the attackers\u2019 actions in each.<\/p>\n
In the first incident, our experts\u2019 attention was drawn to the malicious code responsible for spreading VHD over the target network. It turned out that the ransomware had at its disposal lists of IP addresses of the victim\u2019s computers, as well as credentials for accounts with admin rights. It used that data for brute-force attacks on the SMB service. If the malware managed to connect using the SMB protocol to the network folder of another computer, it copied and executed itself, encrypting that machine also.<\/p>\n
Such behavior is not very typical of mass ransomware. It suggests at least a preliminary reconnaissance of the victim\u2019s infrastructure, which is more characteristic of APT campaigns.<\/p>\n
The next time our Global Emergency Response Team encountered this ransomware during an investigation, the researchers were able to trace the entire infection chain. As they reported, the cybercriminals:<\/p>\n
Further analysis of the tools employed showed the backdoor to be part of the multiplatform MATA framework<\/a> (which some of our colleagues call Dacls). We\u2019ve concluded that it\u2019s another Lazarus tool.<\/p>\n You\u2019ll find a detailed technical analysis of these tools, together with indicators of compromise, in the relevant article on our Securelist blog<\/a>.<\/p>\n The VHD ransomware actors are clearly a cut above average when it comes to infecting corporate computers with a cryptor. The malware is not generally available on hacker forums; rather, it\u2019s specifically developed for targeted attacks. The techniques used to penetrate the victim\u2019s infrastructure and propagate within the network recall sophisticated APT attacks.<\/p>\nHow to protect your company<\/h2>\n