Analysis Report on Lazarus Threat Group's Volgmer and Scout Malwares
Contents
|Overview|
1. Analysis of Volgmer Backdoor
…. 1.1. Early Version of Volgmer
…….. 1.1.1. Analysis of Volgmer Dropper
…….. 1.1.2. Analysis of Volgmer Backdoor
…. 1.2. Later Version of Volgmer
…….. 1.2.1. Analysis of Volgmer Backdoor
2. Analysis of Scout Downloader
…. 2.1. Droppers (Volgmer, Scout)
…. 2.2. Analysis of Scout Downloader
…….. 2.2.1. Scout Downloader v1
…….. 2.2.2. Scout Downloader v2
3. Conclusion
The seemingly state-sponsored Lazarus threat group has records of activity that date back to 2009. In the early days, their activities were mostly focused on Korea, but since 2016, the group has been attacking the defense, advanced technology, and finance sectors worldwide. The Lazarus group usually employed spear phishing and supply chain attacks, usually disguising the malware as legitimate programs in their attack process. [1]
For the last few years, the group launched watering hole attacks to attack multiple Korean enterprises and organizations in the fields of defense, satellite, software, and media. Their method for initial access involved the exploitation …
1. Analysis of Volgmer Backdoor
…. 1.1. Early Version of Volgmer
…….. 1.1.1. Analysis of Volgmer Dropper
…….. 1.1.2. Analysis of Volgmer Backdoor
…. 1.2. Later Version of Volgmer
…….. 1.2.1. Analysis of Volgmer Backdoor
2. Analysis of Scout Downloader
…. 2.1. Droppers (Volgmer, Scout)
…. 2.2. Analysis of Scout Downloader
…….. 2.2.1. Scout Downloader v1
…….. 2.2.2. Scout Downloader v2
3. Conclusion
The seemingly state-sponsored Lazarus threat group has records of activity that date back to 2009. In the early days, their activities were mostly focused on Korea, but since 2016, the group has been attacking the defense, advanced technology, and finance sectors worldwide. The Lazarus group usually employed spear phishing and supply chain attacks, usually disguising the malware as legitimate programs in their attack process. [1]
For the last few years, the group launched watering hole attacks to attack multiple Korean enterprises and organizations in the fields of defense, satellite, software, and media. Their method for initial access involved the exploitation …
IoC
0171c4a0a53188fe6f9c3dfcc5722be6
05bb1d8b7e62f4305d97042f07c64679
0b746394c9d23654577f4c0f2a39a543
0b78347acf76d4bb66212bf9a41b9fb9
0ed86587124f08325cd8f3d3d2556292
17eacf4b4ae2ca4b07672dcc12e4d66d
1c89fb4aee20020bfd75713264df97cd
1e2acecce7b5e9045b07d65e9e8afe1f
1ecd83ee7e4cfc8fed7ceb998e75b996
1f1a3fe0a31bd0b17bc63967de0ccc29
202a7eec39951e1c0b1c9d0a2e24a4c4
225cdc9b452b6d5a3f7616dcc9333d7d
226cc1f17c4625837b37b5976acbd68e
35943aa640e122fcb127b2bfd6e29816
35f9cfe5110471a82e330d904c97466a
394b05394ebb9b239a063a6b5839edb9
3e6119ebfacd1d88acbd2ca460c70b49
43f218d3a4b2199468b00a0b43f51c79
44fa8daa347ef5dd107bf123b4688797
4753679cef5162000233d69330208420
4b1f1db4f169ca6b57015b313d665045
5473fa2c5823fbab2b94e8d5c44bc7b4
5496adcd712d4378950ba62ad4c2423b
570a4253ae80ee8c2b6b23386e273f3a
5c87373eef090bed525b80aef398ee8a
5dd1ccc8fb2a5615bf5656721339efed
64965a88e819fb93dbabafc4e3ad7b6c
64cac69ab1e9108e0035f9ce38b47db7
693afaedf740492df2a09dfcc08a3dff
695e5b8dc9615ec603fe2cbb7326a50f
6da7d8aec65436e1350f1c0dfc4016b7
6e21cc6669ada41e48b369b64ec5f37b
72756e6ebb8274d9352d8d1e7e505906
76f02ab112b8e077544d0c0a6e0c428a
7ba37d662f19bef27c3da2fd2cee0e3a
7f0e773397808b4328ad11d6948a683f
7f953c6988d829c9c4ac2002572c9055
80d34f9ca10b0e8b49c02139e4615b7a
8543667917a318001d0e331aeae3fb9b
855e26d530e69ddc77bb19561fb19d90
85b6e4ea8707149b48e41454cbd0d5ad
8766fe8380b144907efa286a814c2241
8b3ec4b9c7ad20af418e89ca6066a3ad
8f919e6d8970faede0b10cfd5f82da53a83ca34d
947124467bd04b7624d9b31e02b5ee7f
9a5fa5c5f3915b2297a1c379be9979f0
9a87f19609f28d7f7d76f9759864bd08
9ec3a4257564658f651896abc608680e
a545f548b09fdf61405f5cc07e4a7fa1
a76624578ed42cceba81c76660977562
b1225fa644eebafba07f0f5e404bd4fd
b457e8e9d92a1b31a4e2197037711783
b517e7ad07d1182feb4b8f61549ff233
bf5d815597018fe7f3dfb52d4f7e1f65
c07e04d388fb394ac190aace51c03c33
c16a6178a4910c6f3263a01929f306b9
c2ab2a8ffdc18c24080e889a634ef279
c41eb1ea59fab31147c5b107cc1c5a51
cc5a8a15d5808002e62d5daf2d4f31b3
cf2ff5b59c638a06d8b81159b9a435ea
d52b5d8c20964333f79ff1bce3385d0b
e273803ae6724a714b970dd86ca1acd0
e3d03829cbec1a8cca56c6ae730ba9a8
ea5d322648ff108b1c9cbdd1ef4a5959
eb9db98914207815d763e2e5cfbe96b9
fa3e49c877a95f37fd25dbd62f9e274c
fa868a38ceeb46ee9cf8bd441a67ae27
fe32303e69b201f9934248cc06b32ef8
05bb1d8b7e62f4305d97042f07c64679
0b746394c9d23654577f4c0f2a39a543
0b78347acf76d4bb66212bf9a41b9fb9
0ed86587124f08325cd8f3d3d2556292
17eacf4b4ae2ca4b07672dcc12e4d66d
1c89fb4aee20020bfd75713264df97cd
1e2acecce7b5e9045b07d65e9e8afe1f
1ecd83ee7e4cfc8fed7ceb998e75b996
1f1a3fe0a31bd0b17bc63967de0ccc29
202a7eec39951e1c0b1c9d0a2e24a4c4
225cdc9b452b6d5a3f7616dcc9333d7d
226cc1f17c4625837b37b5976acbd68e
35943aa640e122fcb127b2bfd6e29816
35f9cfe5110471a82e330d904c97466a
394b05394ebb9b239a063a6b5839edb9
3e6119ebfacd1d88acbd2ca460c70b49
43f218d3a4b2199468b00a0b43f51c79
44fa8daa347ef5dd107bf123b4688797
4753679cef5162000233d69330208420
4b1f1db4f169ca6b57015b313d665045
5473fa2c5823fbab2b94e8d5c44bc7b4
5496adcd712d4378950ba62ad4c2423b
570a4253ae80ee8c2b6b23386e273f3a
5c87373eef090bed525b80aef398ee8a
5dd1ccc8fb2a5615bf5656721339efed
64965a88e819fb93dbabafc4e3ad7b6c
64cac69ab1e9108e0035f9ce38b47db7
693afaedf740492df2a09dfcc08a3dff
695e5b8dc9615ec603fe2cbb7326a50f
6da7d8aec65436e1350f1c0dfc4016b7
6e21cc6669ada41e48b369b64ec5f37b
72756e6ebb8274d9352d8d1e7e505906
76f02ab112b8e077544d0c0a6e0c428a
7ba37d662f19bef27c3da2fd2cee0e3a
7f0e773397808b4328ad11d6948a683f
7f953c6988d829c9c4ac2002572c9055
80d34f9ca10b0e8b49c02139e4615b7a
8543667917a318001d0e331aeae3fb9b
855e26d530e69ddc77bb19561fb19d90
85b6e4ea8707149b48e41454cbd0d5ad
8766fe8380b144907efa286a814c2241
8b3ec4b9c7ad20af418e89ca6066a3ad
8f919e6d8970faede0b10cfd5f82da53a83ca34d
947124467bd04b7624d9b31e02b5ee7f
9a5fa5c5f3915b2297a1c379be9979f0
9a87f19609f28d7f7d76f9759864bd08
9ec3a4257564658f651896abc608680e
a545f548b09fdf61405f5cc07e4a7fa1
a76624578ed42cceba81c76660977562
b1225fa644eebafba07f0f5e404bd4fd
b457e8e9d92a1b31a4e2197037711783
b517e7ad07d1182feb4b8f61549ff233
bf5d815597018fe7f3dfb52d4f7e1f65
c07e04d388fb394ac190aace51c03c33
c16a6178a4910c6f3263a01929f306b9
c2ab2a8ffdc18c24080e889a634ef279
c41eb1ea59fab31147c5b107cc1c5a51
cc5a8a15d5808002e62d5daf2d4f31b3
cf2ff5b59c638a06d8b81159b9a435ea
d52b5d8c20964333f79ff1bce3385d0b
e273803ae6724a714b970dd86ca1acd0
e3d03829cbec1a8cca56c6ae730ba9a8
ea5d322648ff108b1c9cbdd1ef4a5959
eb9db98914207815d763e2e5cfbe96b9
fa3e49c877a95f37fd25dbd62f9e274c
fa868a38ceeb46ee9cf8bd441a67ae27
fe32303e69b201f9934248cc06b32ef8