Internals of Lazarus Operation Dream Job

0xthreatintel

Jan 27·7 min read

Reverse Engineering Torisma and LCPDot Malware.

In this blog, i will be reversing two malwares found in Lazarus(aka Unit 180/Hidden Cobra) group “Operation Dream Job” which are Torisma and LCPDot Malware.

Torisma Internals

Static Analysis (Basic)

File Information:

It’s 64bit malware.

It’s the unpacked sample from origin sample.

For reversing the sample we had unpacked the sample of Torisma.

Static Analysis (Advanced)

For starting with the advanced static analysis lets see the exports. In exports there is only one function.

exports of Torisma.

For reversing & convenient purpose, i had rename the “DllEntryMain” function as “get_system_info_create_thread_and_abort_ps” which is the entry function.

get_system_info_create_thread_and_abort_ps function:

In this function, mainly their are two functions , first one is fetch_sys_info and another one is create_thread_and_abort_ps_load_dlls.

Code of get_system_info_create_thread_and_abort_ps function.

Call Graph of get_system_info_create_thread_and_abort_ps function.

fetch_sys_info function:

In this function, using these functions GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter in which information like system time, current process and thread id’s , etc from the system is being fetched.

create_thread_and_abort_ps_load_dlls function:

In this function, thread is being created using “create_thread_and_abort_ps” and it also abort some process running on system whereas using “load_dlls_for_further_triage” many dlls are being loaded into the memory for further exploitation.

Now , moving on to some more interesting modules in the Torisma unpacked sample.

mal_pipe_creation function:

This function is particularly used for creating the server for establishing communication with the Command and Control server (aka C&C/C2).

mal_config function:

For encrypting the communication of C&C, the Torisma is using the VEST-32 algorithm confirmed by JPCERT/CC and also by us. The Encryption Key is “ff7172d9c888b7a88a7d77372112d772".

make_request_to_C2_using_proxy function:

This function is used for setting up proxy and communications with C2.

connect_back_to_C2 function:

This is the main function making communications with command and control server it has the encrypted C2 urls.( for the reference read the comments)

Call Graph of connect_back_to_C2 function.

get_file_from_C2 function:

This module is being used for downloading more files from Command and Control server (C&C).

Dynamic Analysis:(Basic)

Dynamic Analysis(Advanced)

Indicators of Compromise(IOCs) and Detections

Network [ C2 Communications]

31[.]186[.]8[.]221, 103[.]227[.]176[.]20, 192[.]35[.]177[.]64, 51[.]255[.]16[.]98.

Att&ck IDs

T1129, T1085, T1085, T1012.

Att&ck Mitre Techniques

Sample from Report

Torisma:

Md5: 9a8403e2eb0324050e53f2c500bc8308

SHA1: 56b9de82c7ede1c231dc20ff0726bf416f13f312
SHA256: 7cd3ca8bdfb44e98a4b9d0c6ad77546e03d169bda9bdf3d1bcf339f68137af23

DNS requests [domains]

www[.]scimpex[.]com
www[.]commodore[.]com[.]tr
www[.]fabianiarte[.]com

YARA Signature:

Mapping Network Traffic via Wire:

LCPDot Internals

Static Analysis (Basic)

File Information:

It’s 32bit malware.

It is already unpacked sample.

Here’s the view of already unpacked sample of LCPDot sample.

Static Analysis (Advanced)

For starting with the advanced static analysis lets see the exports. In exports there is three functions.

DllEntryPoint function:

Similar to most of the malware this LCPDot function is also being deployed for fetching system information using “system_info_fetch” and thread is being established and dlls are being loaded using “dll_loader_thread_establisher” function.