Internals of Lazarus Operation Dream Job

Reverse Engineering Torisma and LCPDot Malware.

In this blog, i will be reversing two malwares found in Lazarus(aka Unit 180/Hidden Cobra) group “Operation Dream Job” which are Torisma and LCPDot Malware.

Torisma Internals

File Information:

It’s 64bit malware.

File Information of Torisma Sample.
It’s the unpacked sample from origin sample.
Here’s the view of unpacked vs packed Torisma Sample.

For reversing the sample we had unpacked the sample of Torisma.

For starting with the advanced static analysis lets see the exports. In exports there is only one function.

exports of Torisma.

For reversing & convenient purpose, i had rename the “DllEntryMain” function as “get_system_info_create_thread_and_abort_ps” which is the entry function.

get_system_info_create_thread_and_abort_ps function:

In this function, mainly their are two functions , first one is fetch_sys_info and another one is create_thread_and_abort_ps_load_dlls.

Code of get_system_info_create_thread_and_abort_ps function.
Call Graph of get_system_info_create_thread_and_abort_ps function.

fetch_sys_info function:

In this function, using these functions GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter in which information like system time, current process and thread id’s , etc from the system is being fetched.

Call Graph and Code of fetch_sys_info function.

create_thread_and_abort_ps_load_dlls function:

In this function, thread is being created using “create_thread_and_abort_ps” and it also abort some process running on system whereas using “load_dlls_for_further_triage” many dlls are being loaded into the memory for further exploitation.

Code and call graph of create_thread_and_abort_ps_load_dlls.create_thread_and_abort_ps_load_dlls

Now , moving on to some more interesting modules in the Torisma unpacked sample.

mal_pipe_creation function:

This function is particularly used for creating the server for establishing communication with the Command and Control server (aka C&C/C2).

Call Graph and Code of mal_pipe_creation function.

mal_config function:

For encrypting the communication of C&C, the Torisma is using the VEST-32 algorithm confirmed by JPCERT/CC and also by us. The Encryption Key is “ff7172d9c888b7a88a7d77372112d772".

Code and call Graph of mal_config function.connect_back_to_C2 function:

make_request_to_C2_using_proxy function:

This function is used for setting up proxy and communications with C2.

Code and Call Graph of make_request_to_C2_using_proxy.

connect_back_to_C2 function:

This is the main function making communications with command and control server it has the encrypted C2 urls.( for the reference read the comments)

Code of connect_back_to_C2 function.
Call Graph of connect_back_to_C2 function.

get_file_from_C2 function:

This module is being used for downloading more files from Command and Control server (C&C).

Code and Call Graph of get_file_from_C2 function.
VirusTotal Detections.
Running malicious Torisma on ANY.RUN.
Process Graph of attack chain.

Indicators of Compromise(IOCs) and Detections

31[.]186[.]8[.]221, 103[.]227[.]176[.]20, 192[.]35[.]177[.]64, 51[.]255[.]16[.]98.

T1129, T1085, T1085, T1012.

Torisma:

Md5: 9a8403e2eb0324050e53f2c500bc8308

SHA1: 56b9de82c7ede1c231dc20ff0726bf416f13f312
SHA256: 7cd3ca8bdfb44e98a4b9d0c6ad77546e03d169bda9bdf3d1bcf339f68137af23

www[.]scimpex[.]com
www[.]commodore[.]com[.]tr
www[.]fabianiarte[.]com

YARA Signature:

Mapping Network Traffic via Wire:

Tracking C2 using Wireshark.

LCPDot Internals

File Information:

It’s 32bit malware.

File Information of LCPDot Sample.

It is already unpacked sample.

Here’s the view of already unpacked sample of LCPDot sample.

For starting with the advanced static analysis lets see the exports. In exports there is three functions.

exports of LCPDot.

DllEntryPoint function:

Similar to most of the malware this LCPDot function is also being deployed for fetching system information using “system_info_fetch” and thread is being established and dlls are being loaded using “dll_loader_thread_establisher” function.

Code of DllEntryPoint function.
Call Graph of DllEntryPoint function.

Since this DllEntryPoint function is being similar to entry function of Torisma and we leave that for further explanation of this function.

Let’s see some interesting function.

set_auth_cookies_for_C2 function:

In this function auth cookies are being used for authentication with C2 communication.

Call graph and code of set_auth_cookies_for_C2 function.
Here the view of cookies authentication for C&C communications.

for the authentication purpose this binary it does the auth of cookies.

It can seen easily that this binary is making the Authentication confirmation as “Auth Success and “Auth Error”

make_request_to_C2 function:

this module is being solely responsible for making request to Command and Control server (aka C&C/C2).

Code and Call Graph of make_request_to_C2 function.

C2_operations function:

This is the main module for carrying out the C&C operations.

Code and Call Graph of C2_operations.

data_query_from_C2 function:

For downloading plugins from the server, this module is being deployed.

Code and Call Graph of data_query_from_C2 function.

stop_handle_for_C2_comm function:

For stopping the communications with C&C server, this module is being deployed.

Code and Call graph of stop_handle_for_C2_comm function.
VirusTotal Detection of LCPDot malware.
Running malicious LCPDot on ANY.RUN.
Process Graph of attack chain.

Indicators of Compromise(IOCs) and Detections

192[.]168[.]100[.]207

VirusTotal detection.

T1129, T1085, T1085 .

Sample from Report

LCPDot:

MD5: 81ca4bd42b01fe43cefd7fc38083bc6b

SHA1: 1d261bae90a95c20caf7a12e9b404dd39009267a

SHA256: a9334efa9f40a36e7dde7ef1fe3018b2410cd9de80d98cf4e3bb5dd7c78f7fde

2 TOY GUYS LLC, Sectigo RSA Code Signing CA, Sectigo

Symantec Time Stamping Services Signer — G4, Symantec Time Stamping Services CA — G2, Thawte Timestamping CA

Symantec Time Stamping Services CA — G2, Symantec Time Stamping Services Signer — G4, 2 TOY GUYS LLC, Sectigo RSA Code Signing CA

www[.]sectigo[.]com

www[.]crl[.]usertrust[.]com

YARA Signature:

Mapping Network Traffic via Wire:

Tracking C2 using Wireshark.

References

Thanks for ArkBird for help.

Thankyou for reading.

Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.