APT Lazarus: Eager Crypto Beavers, Video calls and Games
Contents
APT Lazarus: Eager Crypto Beavers, Video calls and Games
Explore the growing threats posed by the Lazarus Group's financially-driven campaign against developers. We will examine their recent Python scripts, including the CivetQ and BeaverTail malware variants, along with their updated versions in Windows and Python releases. Additionally, we will analyze their tactics, techniques, and indicators of compromise.
September 4, 2024 · 16 min to read · Malware Analysis
Lazarus APT
Malware analysis
Python Scripts
Threat Intelligence
Introduction
Lazarus is definitely going full steam ahead this year with their cyber campaign. Beaver fever has continued into 2024 with the Lazarus-led Contagious Interview campaign still creating all sorts of mayhem. This campaign begins with a fictitious job interview, tricking job-seekers into downloading and running a Node.js project which contains the BeaverTail malware, which in turn delivers the Python backdoor known as InvisibleFerret. BeaverTail was first discovered by PANW researchers as a Javascript malware in November 2023, but recently a native …
Explore the growing threats posed by the Lazarus Group's financially-driven campaign against developers. We will examine their recent Python scripts, including the CivetQ and BeaverTail malware variants, along with their updated versions in Windows and Python releases. Additionally, we will analyze their tactics, techniques, and indicators of compromise.
September 4, 2024 · 16 min to read · Malware Analysis
Lazarus APT
Malware analysis
Python Scripts
Threat Intelligence
Introduction
Lazarus is definitely going full steam ahead this year with their cyber campaign. Beaver fever has continued into 2024 with the Lazarus-led Contagious Interview campaign still creating all sorts of mayhem. This campaign begins with a fictitious job interview, tricking job-seekers into downloading and running a Node.js project which contains the BeaverTail malware, which in turn delivers the Python backdoor known as InvisibleFerret. BeaverTail was first discovered by PANW researchers as a Javascript malware in November 2023, but recently a native …
IoC
000b4a77b1905cabdb59d2b576f6da1b2ef55a0258004e4a9e290e9f41fb6923
0049e2f4f746aa0ec1713cb83dbf8e30d535c01e7b7f10133ae14da0c6a68d69
01b7306554f6e6bac63f5524588ff5c880b5afb4394074d1c132ecc554c72c83
0620a7fa8c6e416d96fe3d3baf4cd925b1a72ce1db8d3eacfb1e10c5fe434962
0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd
06384aedc3614ee73cc7319e30975fca00d43981b626ba5f2b993a254e20d818
0f5f0a3ac843df675168f82021c24180ea22f764f87f82f9f77fe8f0ba0b7132
144.172.74.48
144.172.79.23
147.124.212.146
147.124.212.89
147.124.213.11
147.124.213.29
147.124.214.129
147.124.214.131
147.124.214.237
14e52430f1d1fa390973294d50849ee500061758721c8e28424871812d237132
167.88.168.152
167.88.168.24
167.88.36.13
172.86.123.35
172.86.97.80
172.86.98.143
172.86.98.240
173.211.106.101
185.235.241.208
1bbb953890e752a6898afe71121583881c3eebd2365df7d985c52dda0bd89e14
1be03204709c037378ae96197700148303875a99b8f14838bdabfaceed5693e4
1e5d3ee4c0eb6d67f6bc812cf492c53683962252ddb6ac5285ed251ab4a48ddc
23.106.253.194
23b2df9ae70e592c6d82ee1aa1edd00aee982fc2df859f813224a0c908106789
24b89c77eaeebd4b02c8e8ab6ad3bd7abaa18893ecd469a6a04eda5e374dd305
2a8c90885a8bea74cfe918f3ac6b939990e5ff25434a8c70f7a67d42e03936bd
2c5e45a85a8eed94ffed26a7c3b0790e
2ed5e202190df967c06750ba11aa8486c309e21875594a68f3dff3abb01f569d
2f86acdfdf19c1719189fb121cc9391453d83989aa5c07d4144c9fb6585610cc
301678669e05064d13f1912caae530f0b23f5c83a98352e4b0b53a19128a40cf
306adab1769c48e09e5a637c82b6b32cd57e4895cc727860f02b558f406e7f34
36cac29ff3c503c2123514ea903836d5ad81067508a8e16f7947e3e675a08670
45.140.147.208
45.61.129.255
45.61.130.0
45.61.131.218
45.61.160.14
45.61.169.187
47e876110f5e478a739ca3ad034707c1011c89d3a73a1047d0bfa5359a9cfe4b
64b1aca7b36e662132ae60c2d2df6ea5872239d2b2632d88fdf1b1f383e0d446
67.203.7.171
67.203.7.245
675928d7a0a28f70740b7eedf021de82
7180f5a1c2554b77b4c21a727cca65cc0f9f023f6cac05b295d7172dad07023f
77.37.37.81
7e378c2f0a92c355473b2e2d25d6df9d075ccf89048f7ab10dd4d30c2243a6b1
7f13ca9848086e3de9be971ea8d44ea97ec289c4565ce35b0049c8b534fccbef
887594f18cdbbae4ceef62572e813810b75c8edfb3c4971097d8f8a74f9f103c
91.92.120.135
9110515c2d5f6f48871f0631f411d55f2f0307286e6678952f5d86abe5ce11a9
95.164.17.24
9619770014
9742da5b33866edb8b280fe10909f3f60bc5bf3a33e918d9889e4552f5ce25e3
9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c
9e3a9dbf10793a27361b3cef4d2c87dbd3662646f4470e5242074df4cb96c6b4
a6c9f8c06fdb15de26656e5e490990984634e2c1c05232d3260c29970f9dd6f3
a87b6664b718a9985267f9670e10339372419b320aa3d3da350f9f71dff35dd1
b378d389fd31c6cb65fc85ea960b609049c5f97266cafcbfc6d261fa09355cc0
b653153a94c275f8f1156298c905b86943cb2a63c8b2211e65cf2a1a671c98d1
b8e69d6a766b9088d650e850a638d7ab7c9f59f4e24e2bc8eac41c380876b0d8
c0110cb21ae0e7fb5dec83ca90db9e250b47a394662810f230eb621b0728aa97
c19cdedf8f800d2eeccd5094d7d054dcc00a998356eeae822c14a25f0ce400f2
c373c4c2922f7ca49e2cf5670052d071b15649164ed32a321b7c6fb1a7f2ca6b
cd13a9c92210ada940a44769874dd6716f85c4e4e9d7323ec5789c7b253d937d
ce572304131bd7c4fd34c3a919de403007c842d9c225d080b4ac31e7c8da606e
d356a0668a0f7827d8041eaebdbc003a5b96fe0d82a353ab802dab31bdc5c323
d502f822e6c52345227b64e3c326e2dbefdd8fc3f844df0821598f8d3732f763
d5c0b89e1dfbe9f5e5b2c3f745af895a36adf772f0b72a22052ae6dfa045cea6
d801ad1beeab3500c65434da51326d7648a3c54923d794b2411b7b6a2960f31e
d8806fb404bf29e4a3941c912cbb48553ad5340e1b7195a94e6abf8d75b9102c
dcde59721b78e6797ee7f79c0e19c4a1c5a7806d20cbfa4a6ebb8efca189baf3
ddc4162a71f13cc39519c0f8917b960f3536c47be710bde010bb6e87afe16bc5
de6f9e9e2ce58a604fe22a9d42144191cfc90b4e0048dffcc69d696826ff7170
fd9e8fcc5bda88870b12b47cbb1cc8775ccff285f980c4a2b683463b26e36bf0
http://blocktestingto.com
http://de.ztec.store:8000
http://freeconference.io
http://ipcheck.cloud
http://mirotalk.net
http://regioncheck.net
0049e2f4f746aa0ec1713cb83dbf8e30d535c01e7b7f10133ae14da0c6a68d69
01b7306554f6e6bac63f5524588ff5c880b5afb4394074d1c132ecc554c72c83
0620a7fa8c6e416d96fe3d3baf4cd925b1a72ce1db8d3eacfb1e10c5fe434962
0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd
06384aedc3614ee73cc7319e30975fca00d43981b626ba5f2b993a254e20d818
0f5f0a3ac843df675168f82021c24180ea22f764f87f82f9f77fe8f0ba0b7132
144.172.74.48
144.172.79.23
147.124.212.146
147.124.212.89
147.124.213.11
147.124.213.29
147.124.214.129
147.124.214.131
147.124.214.237
14e52430f1d1fa390973294d50849ee500061758721c8e28424871812d237132
167.88.168.152
167.88.168.24
167.88.36.13
172.86.123.35
172.86.97.80
172.86.98.143
172.86.98.240
173.211.106.101
185.235.241.208
1bbb953890e752a6898afe71121583881c3eebd2365df7d985c52dda0bd89e14
1be03204709c037378ae96197700148303875a99b8f14838bdabfaceed5693e4
1e5d3ee4c0eb6d67f6bc812cf492c53683962252ddb6ac5285ed251ab4a48ddc
23.106.253.194
23b2df9ae70e592c6d82ee1aa1edd00aee982fc2df859f813224a0c908106789
24b89c77eaeebd4b02c8e8ab6ad3bd7abaa18893ecd469a6a04eda5e374dd305
2a8c90885a8bea74cfe918f3ac6b939990e5ff25434a8c70f7a67d42e03936bd
2c5e45a85a8eed94ffed26a7c3b0790e
2ed5e202190df967c06750ba11aa8486c309e21875594a68f3dff3abb01f569d
2f86acdfdf19c1719189fb121cc9391453d83989aa5c07d4144c9fb6585610cc
301678669e05064d13f1912caae530f0b23f5c83a98352e4b0b53a19128a40cf
306adab1769c48e09e5a637c82b6b32cd57e4895cc727860f02b558f406e7f34
36cac29ff3c503c2123514ea903836d5ad81067508a8e16f7947e3e675a08670
45.140.147.208
45.61.129.255
45.61.130.0
45.61.131.218
45.61.160.14
45.61.169.187
47e876110f5e478a739ca3ad034707c1011c89d3a73a1047d0bfa5359a9cfe4b
64b1aca7b36e662132ae60c2d2df6ea5872239d2b2632d88fdf1b1f383e0d446
67.203.7.171
67.203.7.245
675928d7a0a28f70740b7eedf021de82
7180f5a1c2554b77b4c21a727cca65cc0f9f023f6cac05b295d7172dad07023f
77.37.37.81
7e378c2f0a92c355473b2e2d25d6df9d075ccf89048f7ab10dd4d30c2243a6b1
7f13ca9848086e3de9be971ea8d44ea97ec289c4565ce35b0049c8b534fccbef
887594f18cdbbae4ceef62572e813810b75c8edfb3c4971097d8f8a74f9f103c
91.92.120.135
9110515c2d5f6f48871f0631f411d55f2f0307286e6678952f5d86abe5ce11a9
95.164.17.24
9619770014
9742da5b33866edb8b280fe10909f3f60bc5bf3a33e918d9889e4552f5ce25e3
9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c
9e3a9dbf10793a27361b3cef4d2c87dbd3662646f4470e5242074df4cb96c6b4
a6c9f8c06fdb15de26656e5e490990984634e2c1c05232d3260c29970f9dd6f3
a87b6664b718a9985267f9670e10339372419b320aa3d3da350f9f71dff35dd1
b378d389fd31c6cb65fc85ea960b609049c5f97266cafcbfc6d261fa09355cc0
b653153a94c275f8f1156298c905b86943cb2a63c8b2211e65cf2a1a671c98d1
b8e69d6a766b9088d650e850a638d7ab7c9f59f4e24e2bc8eac41c380876b0d8
c0110cb21ae0e7fb5dec83ca90db9e250b47a394662810f230eb621b0728aa97
c19cdedf8f800d2eeccd5094d7d054dcc00a998356eeae822c14a25f0ce400f2
c373c4c2922f7ca49e2cf5670052d071b15649164ed32a321b7c6fb1a7f2ca6b
cd13a9c92210ada940a44769874dd6716f85c4e4e9d7323ec5789c7b253d937d
ce572304131bd7c4fd34c3a919de403007c842d9c225d080b4ac31e7c8da606e
d356a0668a0f7827d8041eaebdbc003a5b96fe0d82a353ab802dab31bdc5c323
d502f822e6c52345227b64e3c326e2dbefdd8fc3f844df0821598f8d3732f763
d5c0b89e1dfbe9f5e5b2c3f745af895a36adf772f0b72a22052ae6dfa045cea6
d801ad1beeab3500c65434da51326d7648a3c54923d794b2411b7b6a2960f31e
d8806fb404bf29e4a3941c912cbb48553ad5340e1b7195a94e6abf8d75b9102c
dcde59721b78e6797ee7f79c0e19c4a1c5a7806d20cbfa4a6ebb8efca189baf3
ddc4162a71f13cc39519c0f8917b960f3536c47be710bde010bb6e87afe16bc5
de6f9e9e2ce58a604fe22a9d42144191cfc90b4e0048dffcc69d696826ff7170
fd9e8fcc5bda88870b12b47cbb1cc8775ccff285f980c4a2b683463b26e36bf0
http://blocktestingto.com
http://de.ztec.store:8000
http://freeconference.io
http://ipcheck.cloud
http://mirotalk.net
http://regioncheck.net