Anatomy of COBRA - The Lazarus Group's Recent Activities and TTPs -

The Lazarus group caused many countries and organizations massive damage. There are many attack operations associated with the Lazarus group, and some of them have not yet been made public. The goal of this presentation is to provide a detailed description of the recent activities of the Lazarus group. This presentation first organizes the Lazarus group's attack campaigns and shows the possible links between the attack operations in this research and public information released from security vendors. Then, we introduce the latest TTPs, including malware and tools used in the following two campaigns by Lazarus group, which our IR team investigated.

  • Operation Dream Job
  • Operation JTrack

Operation Dream Job is a campaign targeting the defense industry, and its attacks have been confirmed in various parts of the world. There are many types of malware used in this campaign, and we describe them in detail. In addition, we describe the tools used by attackers in the network and TTP in ATT&CK. Operation JTrack was an attack campaign that targeted the organizations in Japan. Some types of malware and tools are also used in this campaign, which are described in detail. We present tools that can be used to analyze these malware. Finally, we compare the TTPs of these two attack campaigns and provide information that can be used for defense.
This presentation helps you understand the Lazarus group's latest TTPs and can be used for IR and defense.