A DETAILED ANALYSIS OF LAZARUS APT MALWARE DISGUISED AS NOTEPAD++ SHELL EXTENSION
Contents
Summary
Lazarus has targeted its victims using job opportunities documents for companies such as LockHeed Martin, BAE Systems, and Boeing. In this case, the threat actor has targeted people that are looking for jobs at Boeing using a document called Boeing BDS MSE.docx (https://twitter.com/ShadowChasing1/status/1455489336850325519). The malware extracts the hostname, username, network information, a list of processes, and other information that will be exfiltrated to one out of the four C2 servers. The data targeted for exfiltration is compressed, XOR-encrypted and then Base64-encoded before being transmitted to the C2 server. The Trojan implements four actions that include downloading and executing a .exe or .dll file, loading a PE (Portable Executable) into the process memory, and executing shellcode.
Analyst: @GeeksCyber
Technical analysis
SHA256: 803dda6c8dc426f1005acdf765d9ef897dd502cd8a80632eef4738d1d7947269
The file is a DLL that has 7 exports. Only one of these functions implements malicious activity (DllGetFirstChild):
The malware retrieves the User Agent by calling the ObtainUserAgentString function. There is also a User …
Lazarus has targeted its victims using job opportunities documents for companies such as LockHeed Martin, BAE Systems, and Boeing. In this case, the threat actor has targeted people that are looking for jobs at Boeing using a document called Boeing BDS MSE.docx (https://twitter.com/ShadowChasing1/status/1455489336850325519). The malware extracts the hostname, username, network information, a list of processes, and other information that will be exfiltrated to one out of the four C2 servers. The data targeted for exfiltration is compressed, XOR-encrypted and then Base64-encoded before being transmitted to the C2 server. The Trojan implements four actions that include downloading and executing a .exe or .dll file, loading a PE (Portable Executable) into the process memory, and executing shellcode.
Analyst: @GeeksCyber
Technical analysis
SHA256: 803dda6c8dc426f1005acdf765d9ef897dd502cd8a80632eef4738d1d7947269
The file is a DLL that has 7 exports. Only one of these functions implements malicious activity (DllGetFirstChild):
The malware retrieves the User Agent by calling the ObtainUserAgentString function. There is also a User …
IoC
803dda6c8dc426f1005acdf765d9ef897dd502cd8a80632eef4738d1d7947269
f3e2e6f9e7aa065e89040a0c16d1f948489b3751e5eb5efac8106d5f7d65d98d
https://bazaar.abuse.ch/sample/803dda6c8dc426f1005acdf765d9ef897dd502cd8a80632eef4738d1d7947269/
https://bmanal.com/images/draw.php
https://docs.microsoft.com/en-us/windows/win32/api/
https://github.com/fireeye/flare-fakenet-ng
https://industryinfostructure.com/templates/worldgroup/view.php
https://mante.li/images/draw.php
https://shopandtravelusa.com/vendor/monolog/monolog/src/Monolog/monolog.php
https://twitter.com/ShadowChasing1/status/1455489336850325519
https://www.virustotal.com/gui/file/803dda6c8dc426f1005acdf765d9ef897dd502cd8a80632eef4738d1d7947269
https://zhuanlan.zhihu.com/p/453894016
f3e2e6f9e7aa065e89040a0c16d1f948489b3751e5eb5efac8106d5f7d65d98d
https://bazaar.abuse.ch/sample/803dda6c8dc426f1005acdf765d9ef897dd502cd8a80632eef4738d1d7947269/
https://bmanal.com/images/draw.php
https://docs.microsoft.com/en-us/windows/win32/api/
https://github.com/fireeye/flare-fakenet-ng
https://industryinfostructure.com/templates/worldgroup/view.php
https://mante.li/images/draw.php
https://shopandtravelusa.com/vendor/monolog/monolog/src/Monolog/monolog.php
https://twitter.com/ShadowChasing1/status/1455489336850325519
https://www.virustotal.com/gui/file/803dda6c8dc426f1005acdf765d9ef897dd502cd8a80632eef4738d1d7947269
https://zhuanlan.zhihu.com/p/453894016