Commonly Known Tools Used by Lazarus
Contents
Commonly Known Tools Used by Lazarus
It is widely known that attackers use Windows commands and tools that are commonly known and used after intruding their target network. Lazarus attack group, a.k.a. Hidden Cobra, also uses such tools to collect information and spread the infection. This blog post describes the tools they use.
Lateral movement
These three tools are used for lateral movement. AdFind collects the information of clients and users from Active Directory. It has been observed that other attack groups also used the tool [1]. SMBMap is used to have their malware infect other hosts. (Also check out our previous blog post on Lazarus.) It has also been observed that Responder-Windows was used to collect information in the network.
|Name||Description||Reference|
|AdFind||Command line tool to collect information from Active Directory||http://www.joeware.net/freetools/tools/adfind/|
|SMBMap||Tool to list accessible shared SMB resources and access those files||https://github.com/ShawnDEvans/smbmap|
|Responder-Windows||Tool to lead clients with spoof LLMNR, NBT-NS, and WPAD||https://github.com/lgandx/Responder-Windows|
Stealing sensitive data
These three tools are …
It is widely known that attackers use Windows commands and tools that are commonly known and used after intruding their target network. Lazarus attack group, a.k.a. Hidden Cobra, also uses such tools to collect information and spread the infection. This blog post describes the tools they use.
Lateral movement
These three tools are used for lateral movement. AdFind collects the information of clients and users from Active Directory. It has been observed that other attack groups also used the tool [1]. SMBMap is used to have their malware infect other hosts. (Also check out our previous blog post on Lazarus.) It has also been observed that Responder-Windows was used to collect information in the network.
|Name||Description||Reference|
|AdFind||Command line tool to collect information from Active Directory||http://www.joeware.net/freetools/tools/adfind/|
|SMBMap||Tool to list accessible shared SMB resources and access those files||https://github.com/ShawnDEvans/smbmap|
|Responder-Windows||Tool to lead clients with spoof LLMNR, NBT-NS, and WPAD||https://github.com/lgandx/Responder-Windows|
Stealing sensitive data
These three tools are …
IoC
1E0480E0E81D5AF360518DFF65923B31EA21621F5DA0ED82A7D80F50798B6059
2CD844C7A4F3C51CB7216E9AD31D82569212F7EB3E077C9A448C1A0C28BE971B
30B234E74F9ABE72EEFDE585C39300C3FC745B7E6D0410B0B068C270C16C5C39
47D121087C05568FE90A25EF921F9E35D40BC6BEC969E33E75337FC9B580F0E8
4B7DE800CCAEDEE8A0EDD63D4273A20844B20A35969C32AD1AC645E7B0398220
5D1660A53AAF824739D82F703ED580004980D377BDC2834F1041D512E4305D07
65DDF061178AD68E85A2426CAF9CB85DC9ACC2E00564B8BCB645C8B515200B67
7DCCC776C464A593036C597706016B2C8355D09F9539B28E13A3C4FFCDA13DE3
85703EFD4BA5B691D6B052402C2E5DEC95F4CEC5E8EA31351AF8523864FFC096
A7AD23EE318852F76884B1B1F332AD5A8B592D0F55310C8F2CE1A97AD7C9DB15
B1102ED4BCA6DAE6F2F498ADE2F73F76AF527FA803F0E0B46E100D4CF5150682
C0E27B7F6698327FF63B03FCCC0E45EFF1DC69A571C1C3F6C934EF7273B1562F
CF0121CD61990FD3F436BDA2B2AFF035A2621797D12FD02190EE0F9B2B52A75D
CF02B7614FEA863672CCBED7701E5B5A8FAD8ED1D0FAA2F9EA03B9CC9BA2A3BA
CFD201EDE3EBC0DEB0031983B2BDA9FC54E24D244063ED323B0E421A535CFF92
EA139458B4E88736A3D48E81569178FD5C11156990B6A90E2D35F41B1AD9BAC1
F4C8369E4DE1F12CC5A71EB5586B38FC78A9D8DB2B189B8C25EF17A572D4D6B7
da4ad44e8185e561354d29c153c0804c11798f26915274f678db0a51c42fe656
2CD844C7A4F3C51CB7216E9AD31D82569212F7EB3E077C9A448C1A0C28BE971B
30B234E74F9ABE72EEFDE585C39300C3FC745B7E6D0410B0B068C270C16C5C39
47D121087C05568FE90A25EF921F9E35D40BC6BEC969E33E75337FC9B580F0E8
4B7DE800CCAEDEE8A0EDD63D4273A20844B20A35969C32AD1AC645E7B0398220
5D1660A53AAF824739D82F703ED580004980D377BDC2834F1041D512E4305D07
65DDF061178AD68E85A2426CAF9CB85DC9ACC2E00564B8BCB645C8B515200B67
7DCCC776C464A593036C597706016B2C8355D09F9539B28E13A3C4FFCDA13DE3
85703EFD4BA5B691D6B052402C2E5DEC95F4CEC5E8EA31351AF8523864FFC096
A7AD23EE318852F76884B1B1F332AD5A8B592D0F55310C8F2CE1A97AD7C9DB15
B1102ED4BCA6DAE6F2F498ADE2F73F76AF527FA803F0E0B46E100D4CF5150682
C0E27B7F6698327FF63B03FCCC0E45EFF1DC69A571C1C3F6C934EF7273B1562F
CF0121CD61990FD3F436BDA2B2AFF035A2621797D12FD02190EE0F9B2B52A75D
CF02B7614FEA863672CCBED7701E5B5A8FAD8ED1D0FAA2F9EA03B9CC9BA2A3BA
CFD201EDE3EBC0DEB0031983B2BDA9FC54E24D244063ED323B0E421A535CFF92
EA139458B4E88736A3D48E81569178FD5C11156990B6A90E2D35F41B1AD9BAC1
F4C8369E4DE1F12CC5A71EB5586B38FC78A9D8DB2B189B8C25EF17A572D4D6B7
da4ad44e8185e561354d29c153c0804c11798f26915274f678db0a51c42fe656