A Look into the Lazarus Group's Operations in October 2019
Contents
A Look into the Lazarus Group's Operations in October 2019
Table of Contents
- Malware analysis
- Cyber kill chain
- Indicators Of Compromise (IOC)
- References MITRE ATT&CK Matrix
- Knowledge Graph
- Links
Malware analysis
The next analysis tries to keep the recent events and a logical improvement and technics of the group, this could go back in the past for comparing it.
CES 2020 incident (NukeSped)
We can see that the document target specifically the south korean exhibitors with the following tittle "Application form for American Las Vegas CES 2020"
This initial vector of the infection begins by a current exploit in HWP (CVE-2017-8291) allow a remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring in a crafted .eps document.This download and execute the next stage of the infection.
This firstly executes a common trick RtlCaptureContext for having ability to register a top-level exception handler and avoid debugging.
Once this done, the malware execute a series of actions …
Table of Contents
- Malware analysis
- Cyber kill chain
- Indicators Of Compromise (IOC)
- References MITRE ATT&CK Matrix
- Knowledge Graph
- Links
Malware analysis
The next analysis tries to keep the recent events and a logical improvement and technics of the group, this could go back in the past for comparing it.
CES 2020 incident (NukeSped)
We can see that the document target specifically the south korean exhibitors with the following tittle "Application form for American Las Vegas CES 2020"
This initial vector of the infection begins by a current exploit in HWP (CVE-2017-8291) allow a remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring in a crafted .eps document.This download and execute the next stage of the infection.
This firstly executes a common trick RtlCaptureContext for having ability to register a top-level exception handler and avoid debugging.
Once this done, the malware execute a series of actions …
IoC
185.136.207.0
185.136.207.217
185.236.203.0
185.236.203.211
193.70.0.0
193.70.64.163
1A172D92638E6FDB2858DCCA7A78D4B03C424B7F14BE75C2FD479F59049BC5F9
1ba8cba6337da612d1db2cdfe1b44f6110741d91ba696a5b125ebd3e9b081ed7
23.227.192.0
23.227.199.96
26A2FA7B45A455C311FD57875D8231C853EA4399BE7B9344F2136030B2EDC4AA
360431100AA6DA78B577CC8B4606FA66E6191056FAC7C42929ABEC5A4402DA7A
37.72.174.0
37.72.175.226
3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682
4503A194E5064595E36EF01ED87C24203ACCE56F308AF23E2563E71F890B0188
4701cc722f03253fb332747f951fff4c4ff023e13096a7e090a22b95c70efbf3
4f71c62df0163d301cbc96e70771ebec2d4410679240c1d94183f5e10879c2f1
51ac3966b48c91947de4ce51a90aee9deb730d86cedf8c863d9dcdf0fb322537
64.151.192.0
64.151.229.52
6850189bbf5191a76761ab20f7c630ef
735365EF9AA6CCA946CFEF9A4B85F68E7F9F03011DA0CF5F5AB517A381E40D02
761BCFF9401BED2ACE80B85C43B230294F41FC4D1C0DD1FF454650B624CF239D
83.169.16.0
83.169.17.240
8765888a825223f427756dce79956720
93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9
A7FF0DFC2456BAA80E6291619E0CA480CC8F071F42845EB8316483E077947339
B578CCF307D55D3267F98349E20ECFF1
BFB39F486372A509F307CDE3361795A2F9F759CBEB4CAC07562DCBAEBC070364
CCAFBCFF1596E3DFD28DCB97A5BA85E6845E69464742EDFE136FE09BBEC86BA1
D4F055D170FD783AE4F010DF64CFD18D8FA9A971378298EB6E863C60F57B93E3
F9FFB15A6BF559773B0DF7D8A89D9440819AB285F17A7B0A98626C14164D170F
a0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68
bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364
c5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c
d0b970e8052a4e3a353e99f8f2f4f6436298e473466ca407c353715ec10c3087
dfa984f8d6bfc4ae3920954ec8b768e3d5a9cc4349966a9d16f8bef658f83fcd
ee9cd8decf752a47eefe24369a806976dce8ac2c29a8271c68bc407326fb19a9
http://crabbedly.club
http://craypot.live
http://indagator.club
https://baseballcharlemagnelegardeur.com/wp-content/languages/common.php
https://crabbedly.club/board.php
https://craypot.live/board.php
https://indagator.club/board.php
https://towingoperations.com/chat/chat.php
https://www.tangowithcolette.com/pages/common.php
185.136.207.217
185.236.203.0
185.236.203.211
193.70.0.0
193.70.64.163
1A172D92638E6FDB2858DCCA7A78D4B03C424B7F14BE75C2FD479F59049BC5F9
1ba8cba6337da612d1db2cdfe1b44f6110741d91ba696a5b125ebd3e9b081ed7
23.227.192.0
23.227.199.96
26A2FA7B45A455C311FD57875D8231C853EA4399BE7B9344F2136030B2EDC4AA
360431100AA6DA78B577CC8B4606FA66E6191056FAC7C42929ABEC5A4402DA7A
37.72.174.0
37.72.175.226
3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682
4503A194E5064595E36EF01ED87C24203ACCE56F308AF23E2563E71F890B0188
4701cc722f03253fb332747f951fff4c4ff023e13096a7e090a22b95c70efbf3
4f71c62df0163d301cbc96e70771ebec2d4410679240c1d94183f5e10879c2f1
51ac3966b48c91947de4ce51a90aee9deb730d86cedf8c863d9dcdf0fb322537
64.151.192.0
64.151.229.52
6850189bbf5191a76761ab20f7c630ef
735365EF9AA6CCA946CFEF9A4B85F68E7F9F03011DA0CF5F5AB517A381E40D02
761BCFF9401BED2ACE80B85C43B230294F41FC4D1C0DD1FF454650B624CF239D
83.169.16.0
83.169.17.240
8765888a825223f427756dce79956720
93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9
A7FF0DFC2456BAA80E6291619E0CA480CC8F071F42845EB8316483E077947339
B578CCF307D55D3267F98349E20ECFF1
BFB39F486372A509F307CDE3361795A2F9F759CBEB4CAC07562DCBAEBC070364
CCAFBCFF1596E3DFD28DCB97A5BA85E6845E69464742EDFE136FE09BBEC86BA1
D4F055D170FD783AE4F010DF64CFD18D8FA9A971378298EB6E863C60F57B93E3
F9FFB15A6BF559773B0DF7D8A89D9440819AB285F17A7B0A98626C14164D170F
a0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68
bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364
c5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c
d0b970e8052a4e3a353e99f8f2f4f6436298e473466ca407c353715ec10c3087
dfa984f8d6bfc4ae3920954ec8b768e3d5a9cc4349966a9d16f8bef658f83fcd
ee9cd8decf752a47eefe24369a806976dce8ac2c29a8271c68bc407326fb19a9
http://crabbedly.club
http://craypot.live
http://indagator.club
https://baseballcharlemagnelegardeur.com/wp-content/languages/common.php
https://crabbedly.club/board.php
https://craypot.live/board.php
https://indagator.club/board.php
https://towingoperations.com/chat/chat.php
https://www.tangowithcolette.com/pages/common.php