image of breaking badness
Breaking Badness
Breaking Badness

47. U2 Have To Deal With RaaS


Here are a few highlights from each article we discussed:

Return of the RAT

  • Lazarus Group is the nomenclature for the North Korean associated threat group. The US Government gave them the title of HIDDEN COBRA.
  • Unlike other nation state threats, Lazarus has been associated with a pretty vast array of threats. Microsoft attributed them with the infamous ransomware malware WANNACRY, but also attacks against Monero and Bitcoin cryptocurrencies and even outright financial theft. Back in 2017, there was data associating Lazarus with a $49M theft from a Kuwaiti institution.
  • The Dacls RAT was originally discovered by Qihoo 360 NetLab in December of 2019. It was a fully functional covert remote access Trojan targeting the Windows and Linux platforms.
  • This Mac version is at least distributed via a Trojanized two-factor authentication application for macOS called MinaOTP, mostly used by Chinese speakers. Similar to the Linux variant, it boasts a variety of features including command execution, file management, traffic proxying and worm scanning.
  • On April 8th, a suspicious Mac application named “TinkaOTP” was submitted to VirusTotal from Hong Kong. It was not detected by any engines at the time.
  • In terms of persistence, LaunchDaemons or LaunchAgents which take a property list (plist) file that specifies the application that needs to be executed after reboot.
  • Config file = encrypted C2 servers & plugins
  • After initializing the config file, there is decryption using the AES key, data collection and C2 operations.
  • Modular based RATS are always interesting. They have a low footprint, are harder to detect, and dynamically load plugins based on attackers goals. CMD execution, socks proxy traffic routing, etc.
  • The Lazarus group is so wide in scope with their targets and operations it’s difficult to answer directly. They’ve compromised Sony infamously, attack SK citizens often and also do ransomware / financial theft operations. It’s really the whole spectrum of attacks.

Money is the Root of all REvil

  • What do Madonna, Lady Gaga, Elton John, Robert de Niro, Nicki Minaj, Chris Brown, Usher, U2, Timbaland, Rick Ross have in common? They were all represented by the legal firm Grubman Shire Meiselas & Sacks who I assume are being represented by a different and more expensive legal firm now.
  • The folks behind REvil—likely the same group behind GandCrab even though they claimed to have retired—sell this well-supported cloud platform basically for performing ransomware work. A creator writes the ransomware, then distributors sell it, then individuals perform the infections. They have technical support and all and then they just take a cut from whatever your earnings are as an affiliate. It is basically multi-level-marketing for ransomware.
  • The hackers claim to have NDAs, personal correspondence, phone numbers, contracts, you name it. Anything dealing with the entertainment industry and their clients. They have almost a terabyte of mostly text data so you know there is a lot going on there. To show proof they dropped a few contracts from Cristina Aguilera. You could say they let the genie out of the bottle with that one.
  • REvil has a number of different methods how it spreads. Some are known vulnerabilities, many are through spearphishing attacks. If I had to guess it would likely be through a spearphishing attack then some lateral movement around with common vulnerabilities.
  • When it comes to REvil’s mission, it’s definitely all about the money. If I was an A-lister my model is usually to really think about all my data ingress and egress, what networks I am on, etc. I would always be disabling peripherals on my phones especially after all of the Bluetooth hacks we saw a few years back. Basic things like that would be my biggest fear. After that I would definitely get a law firm that encrypts their client files. Seems sloppy on the part of Grubman Shire Meiselas & Sacks, all four of them really, maybe just fire Sacks and hire someone with an O last name so they can be SMOG law.

Two Truths and a Lie

Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.

You’ll have to tune in to find out!

Current Scoreboard

Breaking Badness Two Truths and a Lie


This Week’s Hoodie/Goodie Scale

Return of the RAT

[Chad]: 6/10 Hoodies
[Tarik]: 8/10 Hoodies

Money is the Root of all REvil

[Chad]: 7/10 Hoodies
[Tarik]: 7/10 Hoodies


That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!