![](\"https:\/\/media.wired.com\/photos\/5e547e50011ffb0008ff5a51\/master\/pass\/security-feature_art-reusing_malware-484363562.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Lily Hay Newman| Date: Tue, 25 Feb 2020 12:00:00 +0000<\/strong><\/p>\n Lily Hay Newman<\/span><\/a><\/span> <\/span><\/p>\n Lazarus Group hackers have long plagued the internet—using at least one tool they picked up just by looking around online.<\/p>\n For years, North Korea's Lazarus Group hackers<\/a> have plundered and pillaged the global internet, scamming and infecting digital devices around the world for espionage, profit, and sabotage. One of their weapons of choice: a so-called loader that allows them to clandestinely run a diverse array of malware on targeted Macs with hardly a trace. But Lazarus didn't create the loader on its own. The group seems to have found it laying around online, and repurposed it to elevate their attacks.<\/p>\n The reality of malware reuse is well established. The NSA reportedly<\/a> reuses malware, as do state sponsored hackers from China<\/a>, Russia, North Korea, and elsewhere. But at the RSA security conference in San Francisco on Tuesday, former National Security Agency analyst and Jamf researcher Patrick Wardle will show<\/a> a particularly impactful example of how ubiquitous and extensive malware reuse really is, even on Macs\u2014and how vital it is to take the threat seriously.<\/p>\n \u201cYou take malware that someone else has created, analyze it, and then reconfigure it so you can redeploy it,\u201d Wardle says. \u201cWhy would you develop something new when three-letter agencies and other groups are creating just incredible malware that\u2019s fully featured, fully tested, and a lot of times has even already been tested in the wild.\u201d<\/p>\n "The Lazarus Group programmers either googled this or saw the presentation about it."<\/p>\n Patrick Wardle, Jamf<\/p>\n Researchers saw Lazarus Group using early iterations of the loader in 2016 and 2018<\/a>, and the tool has continued to evolve<\/a> and mature<\/a>. Once Lazarus tricks a victim into installing the loader\u2014typically through phishing or another scam\u2014it beacons out to the attacker's server. The server responds by sending encrypted software for the loader to decrypt and run.<\/p>\n The loader Wardle examined is especially appealing, because it is designed to run whatever \u201cpayload,\u201d or malware, it receives directly in a computer\u2019s random access memory, rather than installing it on the hard drive. Known as a fileless malware attack<\/a>, this makes it much harder to detect an intrusion or investigate an incident later, because the malware doesn\u2019t leave records of having ever been installed on the system. And Wardle points out that the loader, a \u201cfirst stage\u201d attack tool, is payload-agnostic, meaning you can use it to run whatever type of \u201csecond stage\u201d attack you want on a target\u2019s system. But Lazarus didn't come up with all these impressive tricks itself.<\/p>\n "All the code that implements the in-memory loader was actually grabbed from a Cylance blog post<\/a> and GitHub project where they released some open source code as part of research," Wardle says. Cylance is an antivirus firm that also conducts threat research. "When I was analyzing the Lazarus Group loader I found basically an exact match. It's interesting that the Lazarus Group programmers either googled this or saw the presentation about it<\/a> at the Infiltrate conference in 2017 or something."<\/p>\n This reuse illustrates the benefits to attackers of recycling sophisticated malware tools\u2014whether they come from intelligence agencies or open source research<\/a>. The stolen Windows hacking tool EternalBlue developed by the NSA and then stolen and leaked in 2017 has infamously been used by virtually every hacking group<\/a> out there, from China<\/a> and Russia<\/a> to criminal syndicates. But while recycling is a widely known hacker practice, Wardle points out that just knowing about it abstractly isn\u2019t enough. He argues that security professionals need to meaningfully focus on the mechanics of the process so they can overcome the shortcomings of existing protections and malware detection methods.<\/p>\n Take signature-based defenses, which work by essentially fingerprinting malicious programs and adding that identifier to a blacklist. Regular antivirus and malware scanning tools that rely on signatures generally fail to flag reused malware, because even the minor tweaks a new attacker makes change the program's \u201csignature.\u201d<\/p>\n Malware is typically set up to check in over the internet with a remote server\u2014a so-called \u201ccommand and control server\u201d\u2014to find out what to do next. In some cases, attackers have to extensively overhaul found malware to reuse it, but often, as is the case with the Lazarus loader, they can simply make small tweaks like changing the command and control address to point to their own server rather than the original developer\u2019s. Recyclers still need to do enough analysis to ensure that the malware\u2019s authors haven\u2019t designed a way for the malware to fall back to the original control server, but once they\u2019re sure they\u2019ve scrubbed the previous owners, they can assume full control.<\/p>\n \u201cThis is why I think behavior-based detection is so important,\u201d says Wardle, who presented novel techniques for behavior-based detection on macOS<\/a> at RSA last year. \u201cFrom a behavior point of view, repurposed malware looks and acts exactly the same as its predecessor. So we need to motivate the security tools community to step further and further away from signature-based detection, because it\u2019s unacceptable that if you redeploy malware it can go undetected. Repurposed malware should not pose any additional threats.\u201d<\/p>\n