U.S. Cyber Command warns of North Korea-linked Lazarus Group malware

It's the second time in as many months Cyber Command has added malware details to VirusTotal.
Kim Il-Sung Square, Pyongyang North Korea

Malicious software samples uploaded by U.S. Cyber Command to VirusTotal on Wednesday are associated with campaigns from Lazarus Group, an advanced persistent threat group linked with North Korea, two cybersecurity researchers told CyberScoop.

Lazarus is an umbrella name that typically describes hacking activity which advances Pyongyang’s interests. The group is especially known for its financial motivations, such as abusing the Society for Worldwide Interbank Financial Telecommunication (SWIFT) monetary transfer system and for hacking banks, according to Adam Meyers, vice president of intelligence at CrowdStrike. The instance Wednesday marks the second time in as many months Cyber Command added malware details to the VirusTotal security repository as part of an information sharing effort with the private sector.

Researchers from cybersecurity firms Symantec and CrowdStrike said they have linked the two malware samples in this case (available here and here) with Lazarus Group. The technical capabilities of the malware strains were not immediately clear.

Cyber Command uploaded two samples in all, one of which is a DLL, a dynamically linked library, which is usually part of a set of malware. The other file shared is an executable, which is capable of running by itself.


Kaspersky Principal Senior Security Researcher Brian Bartholomew tells CyberScoop the executable file appears to be the same malware that the FBI and the Department of Homeland Security warned industry about in May, known as ELECTRICFISH.

“When reviewing these samples, one appears to be a popular North Korean tunneling tool referred to as ELECTRICFISH and the other is confirmed to be a Fake TLS proxy tool,” Bartholomew said. “This tool allows an attacker to use the victim as a hop point to tunnel traffic through, similar to what ELECTRICFISH does, just in a different way.”

FireEye Director of Intelligence Analysis John Hultquist told CyberScoop the samples are possibly linked to APT38, a North Korean group FireEye detailed last year which they showed was zeroed in on stealing money and which uses destructive malware.

The Lazarus-linked samples appear to have originated in 2018 and that they do not appear to be in ongoing attacks right now, Bartholomew says.

The last samples Cyber Command shared last month were linked with Iran, as CyberScoop previously reported.


Lazarus Group often uses password-protected executables and secure deletion functions to conceal its nefarious activity from victims, according to Meyers, of CrowdStrike.

Cyber Command would not comment on attribution, as has been its standard practice with VirusTotal releases.

“The Cyber National Mission Force is releasing malware as part of the U.S. Cyber Command persistent engagement methodology,” a spokesperson told CyberScoop. “Recognizing the value of collaboration with the cybersecurity industry and public sector, the [Cyber National Mission Force] is continuing to share malware samples it believes will have the greatest impact on improving global security.”

This update also comes as the federal government’s wider information sharing program is maturing. In the last VirusTotal release, Cyber Command gave advance warning of the release to the Department of Homeland Security, which also included the private sector, as CyberScoop first reported.

The early alert went out to private sector in advance of the release this time as well, Neil Jenkins of the Cyber Threat Alliance tells CyberScoop. Members of the alliance, a group of companies that shares threat information, were alerted Monday with a TLP Amber alert, meant to signify information cannot be shared publicly and only among concerned parties, Jenkins said.


As a result, Cyber Threat Alliance members, which include the likes of Symantec, McAfee, Palo Alto Networks, and Cisco, were able to protect against the malware samples before Cyber Command flagged them publicly, according to Jenkins.

“Our members were able to get protections ready and in place for the release yesterday,” Jenkins told CyberScoop.

The Department of Homeland Security did not immediately return request for comment.

Some of Lazarus Group’s activity has stemmed from sanctions slapped on North Korea, which have starved Kim Jong-un’s government of financial resources, Meyers notes. The Lazarus Group targeted SWIFT after sanctions banned North Korea from that international financial network in 2017, for instance.

A leaked United Nations report recently sent to the U.N. Security Council’s North Korea sanctions committee says Pyongyang has used 35 cyberattacks to steal $2 billion to fund its weapons programs. The regime “used cyber-space to launch increasingly sophisticated attacks to steal funds from financial institutions and cryptocurrency exchanges to generate income,” the report’s authors wrote, according to the BBC.


This Cyber Command release comes just days after North Korea claims it launched a new kind of short-range ballistic missile in violation of United Nations resolutions. It’s the third instance of the regime claiming to have tested a new ballistic missile or rocket system in the last month, according to the New York Times.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts