Lazarus Group Covert Shellcode Execution Technique: ASATA has located and profiled a really interesting shellcode technique which was inspired by Lazarus Group. At its core, the technique uses a list of UUID string values and then converts that to binary shellcode, allocates memory and executes that shellcode. Windows APIs utilized are UuidFromStringA and EnumSystemLocalesA to accomplish that, avoiding all the usual suspects like VirtualAlloc, WriteProcessMemory, CreateThread and standard shellcode generators.
Shellcode Loader: https://github.com/pwn1sher/uuid-loader Blog: https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/ UuidFromStringA: https://docs.microsoft.com/en-us/windows/win32/api/rpcdce/nf-rpcdce-uuidfromstringa EnumSystemLocalesA: https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemlocalesa #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam |