Green Lambert

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Green Lambert is a family of malware tools that are closely related to Blue Lambert. It was discovered while looking for malware similar to Blue Lambert, and it is considered a lighter, more reliable, but older version of Blue Lambert. The Green Lambert family stands out as the only one where non-Windows variants have been found. Signatures created for the Windows version of Green Lambert have also triggered on an OS X variant with a very low version number: 1.2.0. This discovery led to the revelation of an OS X implant called Green Lambert. The use of a revamped version of MATA malware to strike defense contractors was disclosed by Kaspersky in July 2023. While attribution to the Lazarus Group remains uncertain due to the presence of techniques used by Five Eyes APT actors such as Purple Lambert, Magenta Lambert, and Green Lambert, there are still apparent links to Lazarus activity. The newer MATA variants and techniques such as TTLV serialization, multilayered protocols, and handshake mechanisms resemble those of 'Five Eyes' APT groups like Purple, Magenta, and Green Lambert. Green Lambert is the oldest and longest-running malware in its family, with Gray being the newest. Notably, one of the Green Lambert versions has the internal codename “GORDON FLASH”. One of the droppers of Green Lambert abused an ICS software package named “Subway Environmental Simulation Program” or “SES”, which has been available on certain forums visited by engineers working with industrial software. The Windows versions of Green Lambert have various code names including BEARD BLUE (2.7.1), GORDON FLASH (3.0), APE ESCAPE (3.0.2), SPOCK LOGICAL (3.0.2), PIZZA ASSAULT (3.0.5), and SNOW BLOWER (3.0.5). An old version of Green Lambert, compiled for OS X, was uploaded from Russia to a multiscanner service in 2014.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Snow Blower
1
None
Ape Escape
1
None
Gordon Flash
1
None
Flash Gordon
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Implant
Windows
Malware
Apt
Ics
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lazarus GroupUnspecified
1
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AssaultUnspecified
1
The term "assault" in this context refers to a variety of aggressive actions, ranging from cyber attacks to physical violence. One significant event occurred on October 7, 2023, when Hamas launched a coordinated cross-border assault on Israel, marking the official start of the Israel-Hamas War. This
Source Document References
Information about the Green Lambert Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
Sophisticated MATA Framework Strikes Eastern European Oil and Gas Companies
CERT-EU
9 months ago
MATA malware framework exploits EDR in attacks on defense firms
MITRE
a year ago
Unraveling the Lamberts Toolkit
MITRE
a year ago
Made In America: Green Lambert for OS X