WannaCry — Links to Lazarus Group



Read More: Part 1 — Part 2 — Part 3 — Part 4

Code similarities are shared between a February 2017 sample of WannaCry and 2015 Contopee sample (previously attributed last year to Lazarus Group by Symantec) had been found. Initially, reported on Twitter by Google researcher Neel Mehta, I investigated further. Since then, this suspicion has been shared by Kaspersky too.

UPDATE: Symantec also released few hours later an article saying they also discovered similarities.

UPDATE2: TheShadowBrokers just released a statement on the recent attacks.

This would implies WannaCry may have been developed by Lazarus Group.

Feb 2017, WannaCry sample:

Feb 2015, Contopee sample:

Comparison

It looks like I am the first one to have broken the news after interpretating what Neel said, followed by Kaspersky 15 minutes later.

Original Twitt which was posted to confirm Neel Mehta’s twitt.

image

Appendix 1 — Initial disassembly code between the two functions — Assembly version of Appendix 3

image

Appendix 2 — Identical arrays shared by the two functions in Appendix 1.

Here is an actual snippet of the array itself shared between the two samples:

03 00 04 00 05 00 06 00  08 00 09 00 0A 00 0D 00  
10 00 11 00 12 00 13 00  14 00 15 00 16 00 2F 00  
30 00 31 00 32 00 33 00  34 00 35 00 36 00 37 00  
38 00 39 00 3C 00 3D 00  3E 00 3F 00 40 00 41 00  
44 00 45 00 46 00 62 00  63 00 64 00 66 00 67 00  
68 00 69 00 6A 00 6B 00  84 00 87 00 88 00 96 00  
FF 00 01 C0 02 C0 03 C0  04 C0 05 C0 06 C0 07 C0  
08 C0 09 C0 0A C0 0B C0  0C C0 0D C0 0E C0 0F C0  
10 C0 11 C0 12 C0 13 C0  14 C0 23 C0 24 C0 27 C0  
2B C0 2C C0 FF FE 00 00

image

Appendix 3 — Identical decompiled code between the two versions.

image

Appendix 4 — Shared initialization parameters with caller.

The attribution to Lazarus Group would make sense regarding their narrative which in the past was dominated by infiltrating financial institutions in the goal of stealing money.

If validated, this means the latest iteration of WannaCry would in fact be the first nation state powered ransomware.

This would also mean that a foreign hostile nation would have leveraged lost offensive capabilities from Equation Group to create global chaos.

In the meantime, a third kill switch appeared in the wild ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com — the fact it contains lmaowould mean, if the above attribution is correct, that the attacker is purposely sending multiple messages:

  • A Global provocation message to the Law Enforcement & Security researcher community to be translated as “Keep Trying”.
  • Enforce the theory that the last iteration of WannaCry is a destructive operation to create political mayhem.