A "Naver"-ending game of Lazarus APT
Contents
Zscaler’s ThreatLabz research team has been closely monitoring a campaign targeting users in South Korea. This threat actor has been active for more than a year and continues to evolve its tactics, techniques, and procedures (TTPs); we believe with high confidence that the threat actor is associated with Lazarus Group, a sophisticated North Korean advanced persistent threat (APT) group.
In 2021, the main attack vector used by this threat actor was credential phishing attacks through emails, posing as Naver, the popular South Korean search engine and web portal.
In 2022, the same threat actor started spoofing various important entities in South Korea, including KRNIC (Korea Internet Information Center), Korean security vendors such as Ahnlab, cryptocurrency exchanges such as Binance, and others. Some details about this campaign were published in this Korean blog, however they did not perform the threat attribution.
Even though the TTPs of this threat actor evolved over time, there were …
In 2021, the main attack vector used by this threat actor was credential phishing attacks through emails, posing as Naver, the popular South Korean search engine and web portal.
In 2022, the same threat actor started spoofing various important entities in South Korea, including KRNIC (Korea Internet Information Center), Korean security vendors such as Ahnlab, cryptocurrency exchanges such as Binance, and others. Some details about this campaign were published in this Korean blog, however they did not perform the threat attribution.
Even though the TTPs of this threat actor evolved over time, there were …
IoC
044e701e8d288075b0fb6cd118aa94db
0c2dde41d508941cf215fe8f1f7e03a7
0ef32b48f6ca3a1a22ab87058b3d8aa0
114f22f3dd6928bed5c779fa918a8f11
137910039cb94c0301154f3d1ec9ba29
1559aeb8e464759247e4588cb6a09877
15a7125fe9e629122e1d1389062af712
172.93.201.253
1769a818548a0b52c7be2a0a213a9384
1a536709554860fcc2c147374556205d
1fd8fef169bf48cfdcf506151264128c
210db61d1b11c1d233fd8a0645946074
222.112.127.9
23.81.246.131
2677f9871cb340750e582cb677d40e81
37505b6ff02a679e70885ccd60c13f3b
37b7415442ab8ca01e08b2d7bfe809e2
430d944786e05042cdbe1d795ded2199
4382384feb5ad6b574f68e431006905e
44be20c67a80af8066f9401c5bee43cb
45.147.231.213
4548c7f157d300ec39b1821db4daa970
493f59b6933e59029bf3106fd4a2998d
556abc167348fe96abfbf5079c3ad488
6df608342938f0d30a058c48bb9d8d4d
728b908e90930c73edeb1bf58b6a3a64
783e7c3ba39daa28301b841785794d76
78aa7e785a96f2826ee09a1aa9ab776e
7b07cd6bb6b5d4ed6a2892a738fe892b
825730d9dd22dbae7f2bd89131466415
90f2b7845c203035f0d7096aa28dda83
96d86472ff283f6959b7a779f004dfba
9775ef6514916977d73e39a6b09029bc
9ad00e513364e9f44f1b6712907cba9b
a0f565f7f579f0d397a42db5a95d4ae8
a225b7aff737dea737cd969fb307df23
a2aca7b66f678b85fc7b4015af21c5ee
b587851d8a42fc8c23f638bbc2eb866b
bb9ee3a6504fbf6a5486af04dbbb5da5
bd416ea51f94d815b5b5b66861cbdcc5
bdfb5071f5374f5c0a3714464b1fa5e6
c0b24dc8f53227ce0c64439b302ca930
c156572dd81c3b0072f62484e90e47a0
c32f40f304777df7cfab428a54bb818b
ce00749c908de017010055a83ac0654f
d19dd02cf375d0d03f557556d5207061
d7f6b09775b8d90d79404eda715461b7
db0483aced77a7db130a6100aef67967
e25ac08833416b8c7191639b60edfa21
e2e5644e77e75e422bde075f409d882e
e3ffda448df223b240a20dae41e20cef
e732bc87033a935bd2d3d56c7772641b
ecb2d07ede5a401c83a5fca8e00fa37a
http://172.93.201.253
http://222.112.127.9
http://23.81.246.131
http://45.147.231.213
http://cloudcentre.xyz
http://copycatfrag.store
http://disneycareers.net
http://knightsfrag.store
http://mailcustomerservice.site
http://mailhelp.online
http://mailservicecorp.online
http://mailserviceteam.email
http://naveicoip.com
http://naveicoip.tech
http://naveicoipa.com
http://naveicoipa.online
http://naveicoipa.tech
http://naveicoipb.online
http://naveicoipb.tech
http://naveicoipc.com
http://naveicoipc.online
http://naveicoipc.tech
http://naveicoipd.online
http://naveicoipd.tech
http://naveicoipe.online
http://naveicoipe.tech
http://naveicoipep.tech
http://naveicoipf.online
http://naveicoipf.tech
http://naveicoipg.online
http://naveicoipg.tech
http://naveicoiph.online
http://naveicoiph.tech
http://naveicoipi.online
http://naveicoipj.online
http://naveicorp.com
http://navercorp.live
http://navercorpservice.com
http://navercscorp.com
http://navermailcorp.com
http://navermailmanage.com
http://navermailservice.com
http://navermailservice.online
http://navermailteam.online
http://navermanage.com
http://navermanage.live
http://navermanageteam.com
http://navermcorp.com
http://navernidb.link
http://navernidmail.com
http://naversecurityservice.online
http://naversecurityteam.com
http://naverservice.host
http://naverserviceteam.com
http://noreplya.xyz
http://parfumeparlour.store
http://protected.com
http://www.devguardmap.org
https://dl.dropboxusercontent.com/s/k288s9tu2o53v41/zs_url.txt?dl=0
0c2dde41d508941cf215fe8f1f7e03a7
0ef32b48f6ca3a1a22ab87058b3d8aa0
114f22f3dd6928bed5c779fa918a8f11
137910039cb94c0301154f3d1ec9ba29
1559aeb8e464759247e4588cb6a09877
15a7125fe9e629122e1d1389062af712
172.93.201.253
1769a818548a0b52c7be2a0a213a9384
1a536709554860fcc2c147374556205d
1fd8fef169bf48cfdcf506151264128c
210db61d1b11c1d233fd8a0645946074
222.112.127.9
23.81.246.131
2677f9871cb340750e582cb677d40e81
37505b6ff02a679e70885ccd60c13f3b
37b7415442ab8ca01e08b2d7bfe809e2
430d944786e05042cdbe1d795ded2199
4382384feb5ad6b574f68e431006905e
44be20c67a80af8066f9401c5bee43cb
45.147.231.213
4548c7f157d300ec39b1821db4daa970
493f59b6933e59029bf3106fd4a2998d
556abc167348fe96abfbf5079c3ad488
6df608342938f0d30a058c48bb9d8d4d
728b908e90930c73edeb1bf58b6a3a64
783e7c3ba39daa28301b841785794d76
78aa7e785a96f2826ee09a1aa9ab776e
7b07cd6bb6b5d4ed6a2892a738fe892b
825730d9dd22dbae7f2bd89131466415
90f2b7845c203035f0d7096aa28dda83
96d86472ff283f6959b7a779f004dfba
9775ef6514916977d73e39a6b09029bc
9ad00e513364e9f44f1b6712907cba9b
a0f565f7f579f0d397a42db5a95d4ae8
a225b7aff737dea737cd969fb307df23
a2aca7b66f678b85fc7b4015af21c5ee
b587851d8a42fc8c23f638bbc2eb866b
bb9ee3a6504fbf6a5486af04dbbb5da5
bd416ea51f94d815b5b5b66861cbdcc5
bdfb5071f5374f5c0a3714464b1fa5e6
c0b24dc8f53227ce0c64439b302ca930
c156572dd81c3b0072f62484e90e47a0
c32f40f304777df7cfab428a54bb818b
ce00749c908de017010055a83ac0654f
d19dd02cf375d0d03f557556d5207061
d7f6b09775b8d90d79404eda715461b7
db0483aced77a7db130a6100aef67967
e25ac08833416b8c7191639b60edfa21
e2e5644e77e75e422bde075f409d882e
e3ffda448df223b240a20dae41e20cef
e732bc87033a935bd2d3d56c7772641b
ecb2d07ede5a401c83a5fca8e00fa37a
http://172.93.201.253
http://222.112.127.9
http://23.81.246.131
http://45.147.231.213
http://cloudcentre.xyz
http://copycatfrag.store
http://disneycareers.net
http://knightsfrag.store
http://mailcustomerservice.site
http://mailhelp.online
http://mailservicecorp.online
http://mailserviceteam.email
http://naveicoip.com
http://naveicoip.tech
http://naveicoipa.com
http://naveicoipa.online
http://naveicoipa.tech
http://naveicoipb.online
http://naveicoipb.tech
http://naveicoipc.com
http://naveicoipc.online
http://naveicoipc.tech
http://naveicoipd.online
http://naveicoipd.tech
http://naveicoipe.online
http://naveicoipe.tech
http://naveicoipep.tech
http://naveicoipf.online
http://naveicoipf.tech
http://naveicoipg.online
http://naveicoipg.tech
http://naveicoiph.online
http://naveicoiph.tech
http://naveicoipi.online
http://naveicoipj.online
http://naveicorp.com
http://navercorp.live
http://navercorpservice.com
http://navercscorp.com
http://navermailcorp.com
http://navermailmanage.com
http://navermailservice.com
http://navermailservice.online
http://navermailteam.online
http://navermanage.com
http://navermanage.live
http://navermanageteam.com
http://navermcorp.com
http://navernidb.link
http://navernidmail.com
http://naversecurityservice.online
http://naversecurityteam.com
http://naverservice.host
http://naverserviceteam.com
http://noreplya.xyz
http://parfumeparlour.store
http://protected.com
http://www.devguardmap.org
https://dl.dropboxusercontent.com/s/k288s9tu2o53v41/zs_url.txt?dl=0