Wednesday, February 24, 2016

Operation Blockbuster: Coverage for the Lazarus Group

The threat landscape is in constant flux. In many situations, the entire security community must work together to combat some of today’s larger threats. Novetta researched a group of malware families that all appear to be related to the same group of threat actors dubbed “The Lazarus Group” (Group 77). According to Novetta’s analysis, which was released in a report titled “Operation Blockbuster”,  these malware families have been behind multiple high profile attacks over the last nine years. By working with Novetta, Talos was able to ensure that our customers were protected against this threat.

Talos examined the various malware families involved in the research through the samples provided to us to verify that we have coverage for all of the malware families. 


IOCs


For information on Indicators of compromise and details on the operation of the various malware families, please refer to IOCs provided by the Operation Blockbuster report. 


Conclusion


Talos continues to collaborate with peers in the security community to protect our customers and help the security community as a whole improve their security posture. In response to “Operation Blockbuster”, Talos has verified that the following rules protect our customers by detecting these malware families. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.


Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

ESA can block malicious emails sent by threat actors as part of their campaign. 


2 comments:

  1. It would be very helpful if you also published the IoCs in OpenIOC format, so we can import it directly into AMP for Endpoints.

    ReplyDelete
    Replies
    1. AMP already contains the detection you need. A blog is never published here unless our customers are already protected.

      Delete

Post a Comment