Lazarus Group’s Operation Dream Magic

The Lazarus group is a hacking group that is known to be state-sponsored and is actively conducting hacking activities worldwide for financial gain, data theft, and other purposes.

A simplified overview of the Lazarus group’s watering hole attack that abused the INISAFE vulnerability is as follows: a malicious link was inserted within a specific article on a news website. Consequently, companies and institutions that clicked on this article were targeted for hacking. The hackers exploited vulnerable Korean websites with C2 to facilitate their attacks and implemented IP filtering for selective targeting. While the program vulnerability used in this watering hole attack has now shifted to MagicLine, the overall watering hole process remains unchanged from the earlier INISAFE case.

AhnLab coordinated the efforts of multiple teams to respond to the Lazarus group’s exploitation of the MagicLine vulnerability in their watering hole attack. There were several teams involved in this collaboration. The analysis team was responsible for studying the conditions to detect the MagicLine vulnerability and updating the anti-malware. The technical support team was responsible for handling customer responses, including log and sample collection, in case the affected PC belonged to a customer. The response team was tasked with analyzing the gathered logs and liaising with national agencies. In addition, AhnLab, through the collaboration and information sharing with national agencies, tracked and analyzed the Lazarus group’s watering hole attacks exploiting the MagicLine vulnerability. Combining parts of the MagicLine manufacturer’s name and the name of MagicLine, AhnLab named this operation “Operation Dream Magic”.

The following report includes content based on the malware analysis, detection status, and log analysis collected with the cooperation of several companies, as well as the information sharing and collaboration done with national agencies. Furthermore, it provides an explanation for the basis upon which the recent operation was attributed to the Lazarus group.

[+] Download Report: 20231013_Lazarus_OP.Dream_Magic (This report supports Korean only.)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

5 1 vote
Article Rating
Subscribe
21 Comments
Inline Feedbacks
View all comments
trackback

[…] post Lazarus Group’s Operation Dream Magic appeared first on ASEC […]

trackback

[…] involves mounting watering hole attacks by inserting a rogue link within a specific article on an unspecified news website that weaponizes […]

trackback

[…] involves mounting watering hole attacks by inserting a rogue link within a specific article on an unspecified news website that weaponizes […]

trackback

[…] The infected machines then connected to Lazarus’ command and control (C2) systems which took over the computer, after which the gang was able to access an internet-side server a network-linked system zero-day, and exploit the data synchronisation function of that system to spread malicious code to the business-side server, and exfiltrate the victims’ data. […]

trackback

[…] ثم اتصلت الأجهزة المصابة بأنظمة القيادة والتحكم (C2) الخاصة بـ Lazarus والتي استولت على الكمبيوتر، وبعد ذلك تمكنت العصابة من الوصول إلى خادم متصل بالإنترنت ونظام مرتبط بالشبكة في يوم الصفر، واستغلال وظيفة مزامنة البيانات في هذا النظام لنشر تعليمات برمجية ضارة إلى خادم جانب العمل، وتصفية بيانات الضحايا. […]

trackback

[…] The infected machines then connected to Lazarus’ command and control (C2) systems which took over the computer, after which the gang was able to access an internet-side server a network-linked system zero-day, and exploit the data synchronisation function of that system to spread malicious code to the business-side server, and exfiltrate the victims’ data. […]

trackback

[…] The infected machines then connected to Lazarus’ command and control (C2) systems which took over the computer, after which the gang was able to access an internet-side server a network-linked system zero-day, and exploit the data synchronisation function of that system to spread malicious code to the business-side server, and exfiltrate the victims’ data. […]

trackback

[…] The infected machines then connected to Lazarus’ command and control (C2) systems which took over the computer, after which the gang was able to access an internet-side server a network-linked system zero-day, and exploit the data synchronisation function of that system to spread malicious code to the business-side server, and exfiltrate the victims’ data. […]

trackback

[…] The inflamed machines next hooked up to Lazarus’ command and keep an eye on (C2) methods which took over the pc, next which the crowd used to be ready to get right of entry to an internet-side server a network-linked gadget zero-day, and exploit the information synchronisation serve as of that gadget to unfold bad code to the business-side server, and exfiltrate the victims’ data. […]

trackback

[…] The infected machines then connected to Lazarus’ command and control (C2) systems which took over the computer, after which the gang was able to access an internet-side server a network-linked system zero-day, and exploit the data synchronisation function of that system to spread malicious code to the business-side server, and exfiltrate the victims’ data. […]

trackback

[…] The infected machines then connected to Lazarus’ command and control (C2) systems which took over the computer, after which the gang was able to access an internet-side server a network-linked system zero-day, and exploit the data synchronisation function of that system to spread malicious code to the business-side server, and exfiltrate the victims’ data. […]

trackback

[…] The infected machines then connected to Lazarus’ command and control (C2) systems which took over the computer, after which the gang was able to access an internet-side server a network-linked system zero-day, and exploit the data synchronisation function of that system to spread malicious code to the business-side server, and exfiltrate the victims’ data. […]

trackback

[…] The infected machines then connected to Lazarus’ command and control (C2) systems which took over the computer, after which the gang was able to access an internet-side server a network-linked system zero-day, and exploit the data synchronisation function of that system to spread malicious code to the business-side server, and exfiltrate the victims’ data. […]

trackback

[…] The infected machines then connected to Lazarus’ command and control (C2) systems which took over the computer, after which the gang was able to access an internet-side server a network-linked system zero-day, and exploit the data synchronisation function of that system to spread malicious code to the business-side server, and exfiltrate the victims’ data. […]

trackback

[…] The infected machines then connected to Lazarus’ command and control (C2) systems which took over the computer, after which the gang was able to access an internet-side server a network-linked system zero-day, and exploit the data synchronisation function of that system to spread malicious code to the business-side server, and exfiltrate the victims’ data. […]

trackback

[…] The contaminated machines then related to Lazarus’ command and management (C2) techniques which took over the pc, after which the gang was in a position to entry an internet-side server a network-linked system zero-day, and exploit the info synchronisation perform of that system to unfold malicious code to the business-side server, and exfiltrate the victims’ knowledge. […]

trackback

[…] The inflamed machines then hooked up to Lazarus’ command and regulate (C2) methods which took over the pc, and then the group was once in a position to get admission to an internet-side server a network-linked machine zero-day, and exploit the knowledge synchronisation serve as of that machine to unfold malicious code to the business-side server, and exfiltrate the sufferers’ knowledge. […]

trackback

[…] The infected machines then connected to Lazarus’ command and control (C2) systems which took over the computer, after which the gang was able to access an internet-side server a network-linked system zero-day, and exploit the data synchronisation function of that system to spread malicious code to the business-side server, and exfiltrate the victims’ data. […]

trackback

[…] Les machines infectées se sont ensuite connectées aux systèmes de commande et de contrôle (C2) de Lazarus qui ont pris le contrôle de l’ordinateur, après quoi le gang a pu accéder à un serveur côté Internet, un système connecté au réseau Zero Day, et exploiter la fonction de synchronisation des données de ce système pour diffuser du code malveillant sur le serveur côté entreprise, et exfiltrer les données des victimes. […]

trackback

[…] Security Emergency response Center (ASEC) researchers previously attributed the attack to […]

trackback

[…] The infected machines then connected to Lazarus’ command and control (C2) systems which took over the computer, after which the gang was able to access an internet-side server a network-linked system zero-day, and exploit the data synchronisation function of that system to spread malicious code to the business-side server, and exfiltrate the victims’ data. […]