More links between WannaCry and Lazarus group revealed

Symantec researchers have found more links between WannaCry ransomworm and Lazarus, the hacking group believed to be behind the 2014 attack on Sony Pictures and the 2016 Bangladesh Central Bank heist.

WannaCry Lazarus links

Earlier WannaCry attacks point to the group

As you may or may not know, the May 12 attack was not the first time that the WannaCry ransomware was used. But, it was the first time that this particular variant, which incorporated the leaked “EternalBlue” exploit, was employed.

Previous WannaCry attacks were flagged in February, March, and April 2017, and an analysis of the tools, techniques, and infrastructure used in these attacks has revealed many similarities with the those used in previous Lazarus attacks.

For example: Following the first WannaCry attack in February, three pieces of malware linked to Lazarus were discovered on the victim’s network: Trojan.Volgmer and two variants of Backdoor.Destover, the disk-wiping tool used in the Sony Pictures attacks.

Another example: Trojan.Alphanc, which was used to spread WannaCry in the March and April attacks, is a modified version of Backdoor.Duuzer (previously linked to Lazarus).

A third one: Trojan.Bravonc used the same IP addresses for C&C as Backdoor.Duuzer and Backdoor.Destover.

“But how likely is it that the previous WannaCry attacks and the latest one have been mounted by the same team?” you ask. The answer is: “Very likely.”

“The earlier versions of WannaCry and the one used in the May 12 attacks are largely the same, with some minor changes, chiefly the incorporation of the EternalBlue exploit. The passwords used to encrypt the Zip files embedded in the WannaCry dropper are similar across both versions (‘wcry@123’, ‘wcry@2016’, and ‘WNcry@2ol7’) indicating that the author of both versions is likely the same group,” the researchers explained.

“The small number of Bitcoin wallets used by first version of WannaCry, and its limited spread, indicates that this was not a tool that was shared across cyber crime groups. This provides further evidence that both versions of WannaCry were operated by a single group.”

Finally, there are links between the WannaCry malware itself and Lazarus.

For one, WannaCry uses similar code obfuscation as the Bravonc Trojan and Fakepude infostealer (both linked to Lazarus). Secondly, WannaCry shares some code with the Contopee Trojan, also previously linked to Lazarus.

“One variant of Contopee uses a custom SSL implementation, with an identical cipher suite, which is also used by WannaCry. The cipher suite in both samples has the same set of 75 different ciphers to choose from (as opposed to OpenSSL where there are over 300),” the researchers noted.

Who are the Lazarus hackers?

It is widely believed that Lazarus is a North Korean hacker group.

In the Sony Pictures and Bangladesh Central Bank heist, they are believed to have worked on behalf of the North Korean government.

But the WannaCry attacks do not bear the hallmarks of a nation-state campaign – they are more typical of a cybercrime campaign, the researchers noted. It’s possible that the attackers’ goal was to simply steal money.

In February 2017, BAE Systems and Symantec researchers have revealed that the websites of financial institutions around the world have been compromised to serve malware (a watering hole attack).

“The malware used in the attacks (Downloader.Ratankba) was previously unidentified, although it was detected by Symantec under generic detection signatures,” Symantec researchers have noted at the time.

“Ratankba was observed contacting eye-watch[.]in for command and control (C&C) communications. Ratankba was then observed downloading a Hacktool. This Hacktool shows distinctive characteristics shared with malware previously associated with Lazarus.”

The first WannaCry attacks were not nearly as successful as this last one – that is, if you only count the number of successful installations of the malware. So far, only 300 or so victims have paid the ransom, in the total amount of some $110,000.

It’s possible that more victims will still pay up, but all in all, the campaign has “earned” the attackers a pitifully small amount of money, especially when compared to the millions stolen by attackers wielding the Locky and Cerber ransomware.

The attackers – whether they are the Lazarus group or not – have yet to collect the money.