A Lazarus Keylogger- PSLogger
Contents
This blog recently referenced a late July VNCert report containing file-based IOCs affiliated with attempted intrusions against financial organizations in Vietnam. Several contextual and technical characteristics of these files tie them to recent activity typically attributed to North Korean adversaries with a specific interest in the financial sector.
This post explores the technical characteristics of one of these files, a keylogging and screengrabbing utility. Two versions of this utility have appeared in-the-wild. The first is directly identified in the VNCert alert and is a DLL injected via a modified version of the open-source PowerSploit framework. The second is a standalone executable submitted to VirusTotal by a user in Pakistan (and possibly used in an intrusion in that region).
syschk.ps1 (Vietnam)
MD5: 26466867557f84dd4784845280da1f27
SHA1: ed7fcb9023d63cd9367a3a455ec94337bb48628a
SHA256: 791205487bae0ac814440573e992ba2ed259dca45c4e51874325a8a673fa5ef6
Syschk.ps1 contains three primary components: (1) A Base64 encoded DLL, (2) a Base64 encoded variant of PowerSploit’s Invoke-ReflectivePEInjection, and (3) a routine for decoding and executing these components. This script …
This post explores the technical characteristics of one of these files, a keylogging and screengrabbing utility. Two versions of this utility have appeared in-the-wild. The first is directly identified in the VNCert alert and is a DLL injected via a modified version of the open-source PowerSploit framework. The second is a standalone executable submitted to VirusTotal by a user in Pakistan (and possibly used in an intrusion in that region).
syschk.ps1 (Vietnam)
MD5: 26466867557f84dd4784845280da1f27
SHA1: ed7fcb9023d63cd9367a3a455ec94337bb48628a
SHA256: 791205487bae0ac814440573e992ba2ed259dca45c4e51874325a8a673fa5ef6
Syschk.ps1 contains three primary components: (1) A Base64 encoded DLL, (2) a Base64 encoded variant of PowerSploit’s Invoke-ReflectivePEInjection, and (3) a routine for decoding and executing these components. This script …
IoC
081d5bd155916f8a7236c1ea2148513c0c2c9a33
26466867557f84dd4784845280da1f27
34404a3fb9804977c6ab86cb991fb130
791205487bae0ac814440573e992ba2ed259dca45c4e51874325a8a673fa5ef6
b345e6fae155bfaf79c67b38cf488bb17d5be56d
c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec
d45931632ed9e11476325189ccb6b530
ed7fcb9023d63cd9367a3a455ec94337bb48628a
efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e
26466867557f84dd4784845280da1f27
34404a3fb9804977c6ab86cb991fb130
791205487bae0ac814440573e992ba2ed259dca45c4e51874325a8a673fa5ef6
b345e6fae155bfaf79c67b38cf488bb17d5be56d
c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec
d45931632ed9e11476325189ccb6b530
ed7fcb9023d63cd9367a3a455ec94337bb48628a
efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e