Greetings from Lazarus
Contents
HvS-Consulting AG
Greetings from Lazarus
Anatomy of a cyber espionage
campaign
Date:
December 15th, 2020
Version: 1.0
Classified: TLP-White
Contact
HvS-Consulting AG
Parkring 20
85748 Garching bei München
Germany
Phone.: 089 / 890 63 62 – 0
Mail: [email protected]
© 2020 HvS-Consulting AG
Contents
1
Introduction and overview ............................................................................................. 2
1.1 Background / Context .............................................................................................................. 2
1.2 Attribution .................................................................................................................................... 2
1.3 Overall timeline .......................................................................................................................... 3
1.4 Further Lazarus activities.......................................................................................................... 5
1.5 Conclusion ................................................................................................................................... 6
2
Description of observed TTPs ........................................................................................ 7
2.1 Initial Access and Execution .................................................................................................... 7
2.2 Persistence ................................................................................................................................... 8
2.3 Privilege Escalation .................................................................................................................... 9
2.4 Defense Evasion ........................................................................................................................10
2.5 Credential Access......................................................................................................................10
2.6 Discovery ..................................................................................................................................... 11
2.7 Lateral Movement.....................................................................................................................12
2.8 Collection ....................................................................................................................................13
2.9 Command and Control ...........................................................................................................14
2.10 Exfiltration ...................................................................................................................................14
2.11 Impact ..........................................................................................................................................18
3
Appendix: Observed IOCs ............................................................................................. 19
3.1 Filenames, Hashes and Process Execution .........................................................................19
3.2 Regex patterns for filename signatures ..............................................................................21
3.3 Command & Control Domains ............................................................................................ 22
3.4 YARA Rules ................................................................................................................................ 24
© 2020 HvS-Consulting AG
TLP-White
page 1 of 27
1
Introduction and overview
1.1
Background / Context
The incident response team of HvS-Consulting AG was recently involved in coordination, analysis, and
remediation of multiple Advanced Persistent Threats (APT) against different European customers …
Greetings from Lazarus
Anatomy of a cyber espionage
campaign
Date:
December 15th, 2020
Version: 1.0
Classified: TLP-White
Contact
HvS-Consulting AG
Parkring 20
85748 Garching bei München
Germany
Phone.: 089 / 890 63 62 – 0
Mail: [email protected]
© 2020 HvS-Consulting AG
Contents
1
Introduction and overview ............................................................................................. 2
1.1 Background / Context .............................................................................................................. 2
1.2 Attribution .................................................................................................................................... 2
1.3 Overall timeline .......................................................................................................................... 3
1.4 Further Lazarus activities.......................................................................................................... 5
1.5 Conclusion ................................................................................................................................... 6
2
Description of observed TTPs ........................................................................................ 7
2.1 Initial Access and Execution .................................................................................................... 7
2.2 Persistence ................................................................................................................................... 8
2.3 Privilege Escalation .................................................................................................................... 9
2.4 Defense Evasion ........................................................................................................................10
2.5 Credential Access......................................................................................................................10
2.6 Discovery ..................................................................................................................................... 11
2.7 Lateral Movement.....................................................................................................................12
2.8 Collection ....................................................................................................................................13
2.9 Command and Control ...........................................................................................................14
2.10 Exfiltration ...................................................................................................................................14
2.11 Impact ..........................................................................................................................................18
3
Appendix: Observed IOCs ............................................................................................. 19
3.1 Filenames, Hashes and Process Execution .........................................................................19
3.2 Regex patterns for filename signatures ..............................................................................21
3.3 Command & Control Domains ............................................................................................ 22
3.4 YARA Rules ................................................................................................................................ 24
© 2020 HvS-Consulting AG
TLP-White
page 1 of 27
1
Introduction and overview
1.1
Background / Context
The incident response team of HvS-Consulting AG was recently involved in coordination, analysis, and
remediation of multiple Advanced Persistent Threats (APT) against different European customers …
IoC
02E319AF73A33547343B71D5CB1064BC
125.206.177.152
137.74.114.227
192.168.1.1
192.168.1.17
192.168.1.23
192.168.1.240
192.168.1.255
42e4a9aeff3744bbbc0e82fd5b93eb9b078460d8f40e0b61b27b699882f521be
829462fc6d84aae04a962dfc919d0a392265fbf255eab399980d2b021e385517
94d2448d3794ae3f29678a7337473d259b5cfd1c7f703fe53ee6c84dd10a48ef
961a66d01c86fa5982e0538215b17fb9fae2991331dfea812b8c031e2ceb0d90
b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9
d16163526242508d6961f061aaffe3ae5321bd64d8ceb6b2788f1570757595fc
f09d9c7783adb4a44d48c77e412319e1c9cd4384
fa0b87c7e07d21001355caf7b5027219
http://125.206.177.152/old/viewer.php
http://137.74.114.227/theveniaux/webliotheque/public/css/main.php
http://admin.shcpa.co.kr/_asapro2/formmail/lib.php
http://indoweb.org/love/data/common/common.php
http://pennontraders.com/assets/slides/view.jsp
http://support.medicalinthecloud.com/TechCenter/include/slide.asp
http://www.anca-aste.it
http://www.anisweb.org/layout/site/style/preview.jsp
http://www.hirokawaunso.co.jp/wordpress/wp-includes/review.php
http://www.mannpublicwhseltd.com/cservice.asp
https://95octane.com/
https://acanicjquery.com/slides/style.php
https://attack.mitre.org/groups/G0032/
https://bootcamp-coders.cnm.edu/~dmcdonald21/emojireview/storage/framework.php
https://creativecommons.org/licenses/by-nc/4.0/
https://genieaccount.com/images/common/common.asp
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-0505/Analysis.md
https://github.com/hvsconsulting/ioc_signatures
https://github.com/xl7dev/WebShell/blob/master/Asp/RedHat%20Hacker.asp
https://premier-inn.jp/
https://prestigein-am.jp/akita/wp-includes/wp-rss1.php
https://turnscor.com/ACT/images/slide/view.jsp
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a
https://vega.mh-tec.jp/.well-known/index.php
https://www.ancaaste.it/uploads/form/02E319AF73A33547343B71D5CB1064BC.dotm
https://www.apars-surgery.org/bbs/bbs_files/board_photo/menu.php
https://www.arumdaunresort.com/admin/html/user/contact.asp
https://www.astedams.it/photos/image/image.asp
https://www.automercado.co.cr/empleo/css/main.jsp
https://www.calculadoras.mx/themes/pack/pilot.php
https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf
https://www.curiofirenze.com/include/inc-site.asp
https://www.emilypress.com/CMWorking/Static/service/center.asp
https://www.fabianiarte.com/pdf/thumbs/thumb.asp
https://www.fabianiarte.com/uploads/imgup/21it-23792.jpg
https://www.factmag.com/
https://www.fidesarte.it/thumb/multibox/style/common.asp
https://www.forecareer.com/gdcareer/officetemplate20nab.asp?iqxml=NVcareer183991
https://www.gonnelli.it
https://www.gonnelli.it/uploads/catalogo/thumbs/thumb.asp
https://www.hansolhope.or.kr/welfare/notice/view.jsp
https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf
https://www.hybridanalysis.com/sample/d16163526242508d6961f061aaffe3ae5321bd64d8ceb6b2788f1570757595fc?environmentId=2
https://www.index-consulting.jp/eng/news/index.php
https://www.leemble.com/
https://www.lyzeum.com/popup/popup.asp
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-tobe-true/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes
https://www.ne-ba.org/
https://www.paghera.com/content/view/thumb/info.asp
https://www.reseau-canope.fr/conventions/css/en/edit.jsp
https://www.sanlorenzoyacht.com/newsl/include/inc-map.asp
https://www.shikshakibaat.com/classes/detail.jsp
https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf
https://yakufreshperu.com/facturacion/public/css/main.php
[email protected]
rule HvS_APT37_RAT_loader {
meta:
description = "iconcash.db"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Marc Stroebel"
date = "2020-12-15"
hash = "b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9"
reference1 = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
reference2 = "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"
condition:
(pe.version_info["OriginalFilename"] contains "MFC_DLL.dll") and
(pe.exports("SMain") and pe.exports("SMainW") )
}
rule HvS_APT37_cred_tool {
meta:
description = "Unknown cred tool used by APT37"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Markus Poelloth"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
strings:
$s1 = "
<requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLeve
l>" fullword ascii
$s2 = "Domain Login" fullword ascii
$s3 = "IEShims_GetOriginatingThreadContext" fullword ascii
$s4 = " Type Descriptor'" fullword ascii
$s5 = "User: %s" fullword ascii
$s6 = "Pass: %s" fullword ascii
$s7 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
$s8 = "E@c:\\u" fullword ascii
condition:
filesize < 500KB and 7 of them
}
rule HvS_APT37_mimikatz_loader_DF012 {
meta:
description = "Loader for encrypted Mimikatz variant used by APT37"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Marc Stroebel"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "42e4a9aeff3744bbbc0e82fd5b93eb9b078460d8f40e0b61b27b699882f521be"
strings:
$s1 = ".?AVCEncryption@@" fullword ascii
$s2 = "afrfa"
condition:
uint16(0) == 0x5a4d and filesize < 200KB and
(pe.imphash() == "fa0b87c7e07d21001355caf7b5027219") and (all of them)
}
rule HvS_APT37_smb_scanner {
meta:
description = "Unknown smb login scanner used by APT37"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Marc Stroebel"
date = "2020-12-15"
reference1 = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
reference2 = "https://www.hybridanalysis.com/sample/d16163526242508d6961f061aaffe3ae5321bd64d8ceb6b2788f1570757595fc?environmentId=2"
strings:
$s1 = "Scan.exe StartIP EndIP ThreadCount logfilePath [Username Password Deep]" fullword ascii
$s2 = "%s - %s:(Username - %s / Password - %s" fullword ascii
$s3 = "Load mpr.dll Error " fullword ascii
$s4 = "Load Netapi32.dll Error " fullword ascii
$s5 = "%s U/P not Correct! - %d" fullword ascii
$s6 = "GetNetWorkInfo Version 1.0" fullword wide
$s7 = "Hello World!" fullword wide
$s8 = "%s Error: %ld" fullword ascii
$s9 = "%s U/P Correct!" fullword ascii
$s10 = "%s --------" fullword ascii
$s11 = "%s%-30s%I64d" fullword ascii
$s12 = "%s%-30s(DIR)" fullword ascii
$s13 = "%04d-%02d-%02d %02d:%02d" fullword ascii
$s14 = "Share:
Local Path:
Uses:
Descriptor:" fullword ascii
$s15 = "Share:
Type:
Remark:" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (10 of them)
}
rule HvS_APT37_webshell_controllers_asp {
meta:
description = " Webshell named controllers.asp or inc-basket-offer.asp used by APT37"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Moritz Oettle"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "829462fc6d84aae04a962dfc919d0a392265fbf255eab399980d2b021e385517"
strings:
$s0 = "<%@Language=VBScript.Encode" ascii
// Case permutations of the word SeRvEr encoded with the Microsoft Script Encoder followed by “.scriptrimeOut”
$x1 = { 64 7F 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x2 = { 64 7F 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x3 = { 64 7F 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x4 = { 64 7F 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x5 = { 64 7F 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x6 = { 64 7F 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x7 = { 64 7F 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x8 = { 64 41 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x9 = { 64 41 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x10 = { 64 41 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x11 = { 64 41 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x12 = { 64 7F 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x13 = { 64 41 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x14 = { 64 41 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x15 = { 64 41 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x16 = { 64 41 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x17 = { 64 41 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x18 = { 64 41 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x19 = { 64 41 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x20 = { 64 41 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x21 = { 64 41 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x22 = { 64 41 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x23 = { 64 7F 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x24 = { 64 41 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x25 = { 64 41 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x26 = { 6A 7F 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x27 = { 6A 7F 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x28 = { 6A 7F 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x29 = { 6A 7F 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x30 = { 6A 7F 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x31 = { 6A 7F 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x32 = { 6A 7F 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x33 = { 6A 7F 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x34 = { 64 7F 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x35 = { 6A 7F 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x36 = { 6A 7F 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x37 = { 6A 7F 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x38 = { 6A 7F 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x39 = { 6A 7F 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x40 = { 6A 7F 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x41 = { 6A 7F 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x42 = { 6A 7F 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x43 = { 6A 41 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x44 = { 6A 41 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x45 = { 64 7F 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x46 = { 6A 41 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x47 = { 6A 41 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x48 = { 6A 41 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x49 = { 6A 41 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x50 = { 6A 41 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x51 = { 6A 41 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x52 = { 6A 41 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x53 = { 6A 41 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x54 = { 6A 41 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x55 = { 6A 41 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x56 = { 64 7F 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x57 = { 6A 41 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x58 = { 6A 41 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x59 = { 6A 41 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x60 = { 6A 41 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x61 = { 64 7F 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x62 = { 64 7F 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x63 = { 64 7F 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x64 = { 64 7F 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
condition:
filesize > 50KB and filesize < 200KB and ( $s0 and 1 of ($x*) )
}
rule HvS_APT37_webshell_img_thumbs_asp {
meta:
description = "Webshell named img.asp, thumbs.asp or thumb.asp used by APT37"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Moritz Oettle"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "94d2448d3794ae3f29678a7337473d259b5cfd1c7f703fe53ee6c84dd10a48ef"
strings:
$s1 = "strMsg = \"E : F\"" fullword ascii
$s2 = "strMsg = \"S : \" & Len(fileData)" fullword ascii
$s3 = "Left(workDir, InStrRev(workDir, \"/\")) & \"video\""
$a1 = "Server.CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
$a2 = "Dim tmpPath, workDir" fullword ascii
$a3 = "Dim objFSO, objTextStream" fullword ascii
$a4 = "workDir = Request.ServerVariables(\"URL\")" fullword ascii
$a5 = "InStrRev(workDir, \"/\")" ascii
}
$g1 = "WriteFile = 0" fullword ascii
$g2 = "fileData = Request.Form(\"fp\")" fullword ascii
$g3 = "fileName = Request.Form(\"fr\")" fullword ascii
$g4 = "Err.Clear()" fullword ascii
$g5 = "Option Explicit" fullword ascii
condition:
filesize < 2KB and (( 1 of ($s*) ) or (3 of ($a*)) or (5 of ($g*)))
© 2020 HvS-Consulting AG
TLP-White
page 25 of 27
rule HvS_APT37_webshell_template_query_asp {
meta:
description = " Webshell named template-query.aspimg.asp used by APT37"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Moritz Oettle"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "961a66d01c86fa5982e0538215b17fb9fae2991331dfea812b8c031e2ceb0d90"
strings:
$g1 = "server.scripttimeout=600" fullword ascii
$g2 = "response.buffer=true" fullword ascii
$g3 = "response.expires=-1" fullword ascii
$g4 = "session.timeout=600" fullword ascii
$a1 = "redhat hacker" ascii
$a2 = "want_pre.asp" ascii
$a3 = "vgo=\"admin\"" ascii
$a4 = "ywc=false" ascii
}
125.206.177.152
137.74.114.227
192.168.1.1
192.168.1.17
192.168.1.23
192.168.1.240
192.168.1.255
42e4a9aeff3744bbbc0e82fd5b93eb9b078460d8f40e0b61b27b699882f521be
829462fc6d84aae04a962dfc919d0a392265fbf255eab399980d2b021e385517
94d2448d3794ae3f29678a7337473d259b5cfd1c7f703fe53ee6c84dd10a48ef
961a66d01c86fa5982e0538215b17fb9fae2991331dfea812b8c031e2ceb0d90
b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9
d16163526242508d6961f061aaffe3ae5321bd64d8ceb6b2788f1570757595fc
f09d9c7783adb4a44d48c77e412319e1c9cd4384
fa0b87c7e07d21001355caf7b5027219
http://125.206.177.152/old/viewer.php
http://137.74.114.227/theveniaux/webliotheque/public/css/main.php
http://admin.shcpa.co.kr/_asapro2/formmail/lib.php
http://indoweb.org/love/data/common/common.php
http://pennontraders.com/assets/slides/view.jsp
http://support.medicalinthecloud.com/TechCenter/include/slide.asp
http://www.anca-aste.it
http://www.anisweb.org/layout/site/style/preview.jsp
http://www.hirokawaunso.co.jp/wordpress/wp-includes/review.php
http://www.mannpublicwhseltd.com/cservice.asp
https://95octane.com/
https://acanicjquery.com/slides/style.php
https://attack.mitre.org/groups/G0032/
https://bootcamp-coders.cnm.edu/~dmcdonald21/emojireview/storage/framework.php
https://creativecommons.org/licenses/by-nc/4.0/
https://genieaccount.com/images/common/common.asp
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-0505/Analysis.md
https://github.com/hvsconsulting/ioc_signatures
https://github.com/xl7dev/WebShell/blob/master/Asp/RedHat%20Hacker.asp
https://premier-inn.jp/
https://prestigein-am.jp/akita/wp-includes/wp-rss1.php
https://turnscor.com/ACT/images/slide/view.jsp
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a
https://vega.mh-tec.jp/.well-known/index.php
https://www.ancaaste.it/uploads/form/02E319AF73A33547343B71D5CB1064BC.dotm
https://www.apars-surgery.org/bbs/bbs_files/board_photo/menu.php
https://www.arumdaunresort.com/admin/html/user/contact.asp
https://www.astedams.it/photos/image/image.asp
https://www.automercado.co.cr/empleo/css/main.jsp
https://www.calculadoras.mx/themes/pack/pilot.php
https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf
https://www.curiofirenze.com/include/inc-site.asp
https://www.emilypress.com/CMWorking/Static/service/center.asp
https://www.fabianiarte.com/pdf/thumbs/thumb.asp
https://www.fabianiarte.com/uploads/imgup/21it-23792.jpg
https://www.factmag.com/
https://www.fidesarte.it/thumb/multibox/style/common.asp
https://www.forecareer.com/gdcareer/officetemplate20nab.asp?iqxml=NVcareer183991
https://www.gonnelli.it
https://www.gonnelli.it/uploads/catalogo/thumbs/thumb.asp
https://www.hansolhope.or.kr/welfare/notice/view.jsp
https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf
https://www.hybridanalysis.com/sample/d16163526242508d6961f061aaffe3ae5321bd64d8ceb6b2788f1570757595fc?environmentId=2
https://www.index-consulting.jp/eng/news/index.php
https://www.leemble.com/
https://www.lyzeum.com/popup/popup.asp
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-tobe-true/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes
https://www.ne-ba.org/
https://www.paghera.com/content/view/thumb/info.asp
https://www.reseau-canope.fr/conventions/css/en/edit.jsp
https://www.sanlorenzoyacht.com/newsl/include/inc-map.asp
https://www.shikshakibaat.com/classes/detail.jsp
https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf
https://yakufreshperu.com/facturacion/public/css/main.php
[email protected]
rule HvS_APT37_RAT_loader {
meta:
description = "iconcash.db"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Marc Stroebel"
date = "2020-12-15"
hash = "b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9"
reference1 = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
reference2 = "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"
condition:
(pe.version_info["OriginalFilename"] contains "MFC_DLL.dll") and
(pe.exports("SMain") and pe.exports("SMainW") )
}
rule HvS_APT37_cred_tool {
meta:
description = "Unknown cred tool used by APT37"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Markus Poelloth"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
strings:
$s1 = "
<requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLeve
l>" fullword ascii
$s2 = "Domain Login" fullword ascii
$s3 = "IEShims_GetOriginatingThreadContext" fullword ascii
$s4 = " Type Descriptor'" fullword ascii
$s5 = "User: %s" fullword ascii
$s6 = "Pass: %s" fullword ascii
$s7 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
$s8 = "E@c:\\u" fullword ascii
condition:
filesize < 500KB and 7 of them
}
rule HvS_APT37_mimikatz_loader_DF012 {
meta:
description = "Loader for encrypted Mimikatz variant used by APT37"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Marc Stroebel"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "42e4a9aeff3744bbbc0e82fd5b93eb9b078460d8f40e0b61b27b699882f521be"
strings:
$s1 = ".?AVCEncryption@@" fullword ascii
$s2 = "afrfa"
condition:
uint16(0) == 0x5a4d and filesize < 200KB and
(pe.imphash() == "fa0b87c7e07d21001355caf7b5027219") and (all of them)
}
rule HvS_APT37_smb_scanner {
meta:
description = "Unknown smb login scanner used by APT37"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Marc Stroebel"
date = "2020-12-15"
reference1 = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
reference2 = "https://www.hybridanalysis.com/sample/d16163526242508d6961f061aaffe3ae5321bd64d8ceb6b2788f1570757595fc?environmentId=2"
strings:
$s1 = "Scan.exe StartIP EndIP ThreadCount logfilePath [Username Password Deep]" fullword ascii
$s2 = "%s - %s:(Username - %s / Password - %s" fullword ascii
$s3 = "Load mpr.dll Error " fullword ascii
$s4 = "Load Netapi32.dll Error " fullword ascii
$s5 = "%s U/P not Correct! - %d" fullword ascii
$s6 = "GetNetWorkInfo Version 1.0" fullword wide
$s7 = "Hello World!" fullword wide
$s8 = "%s Error: %ld" fullword ascii
$s9 = "%s U/P Correct!" fullword ascii
$s10 = "%s --------" fullword ascii
$s11 = "%s%-30s%I64d" fullword ascii
$s12 = "%s%-30s(DIR)" fullword ascii
$s13 = "%04d-%02d-%02d %02d:%02d" fullword ascii
$s14 = "Share:
Local Path:
Uses:
Descriptor:" fullword ascii
$s15 = "Share:
Type:
Remark:" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (10 of them)
}
rule HvS_APT37_webshell_controllers_asp {
meta:
description = " Webshell named controllers.asp or inc-basket-offer.asp used by APT37"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Moritz Oettle"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "829462fc6d84aae04a962dfc919d0a392265fbf255eab399980d2b021e385517"
strings:
$s0 = "<%@Language=VBScript.Encode" ascii
// Case permutations of the word SeRvEr encoded with the Microsoft Script Encoder followed by “.scriptrimeOut”
$x1 = { 64 7F 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x2 = { 64 7F 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x3 = { 64 7F 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x4 = { 64 7F 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x5 = { 64 7F 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x6 = { 64 7F 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x7 = { 64 7F 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x8 = { 64 41 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x9 = { 64 41 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x10 = { 64 41 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x11 = { 64 41 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x12 = { 64 7F 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x13 = { 64 41 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x14 = { 64 41 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x15 = { 64 41 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x16 = { 64 41 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x17 = { 64 41 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x18 = { 64 41 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x19 = { 64 41 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x20 = { 64 41 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x21 = { 64 41 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x22 = { 64 41 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x23 = { 64 7F 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x24 = { 64 41 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x25 = { 64 41 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x26 = { 6A 7F 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x27 = { 6A 7F 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x28 = { 6A 7F 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x29 = { 6A 7F 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x30 = { 6A 7F 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x31 = { 6A 7F 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x32 = { 6A 7F 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x33 = { 6A 7F 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x34 = { 64 7F 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x35 = { 6A 7F 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x36 = { 6A 7F 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x37 = { 6A 7F 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x38 = { 6A 7F 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x39 = { 6A 7F 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x40 = { 6A 7F 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x41 = { 6A 7F 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x42 = { 6A 7F 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x43 = { 6A 41 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x44 = { 6A 41 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x45 = { 64 7F 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x46 = { 6A 41 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x47 = { 6A 41 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x48 = { 6A 41 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x49 = { 6A 41 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x50 = { 6A 41 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x51 = { 6A 41 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x52 = { 6A 41 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x53 = { 6A 41 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x54 = { 6A 41 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x55 = { 6A 41 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x56 = { 64 7F 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x57 = { 6A 41 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x58 = { 6A 41 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x59 = { 6A 41 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x60 = { 6A 41 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x61 = { 64 7F 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x62 = { 64 7F 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x63 = { 64 7F 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x64 = { 64 7F 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
condition:
filesize > 50KB and filesize < 200KB and ( $s0 and 1 of ($x*) )
}
rule HvS_APT37_webshell_img_thumbs_asp {
meta:
description = "Webshell named img.asp, thumbs.asp or thumb.asp used by APT37"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Moritz Oettle"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "94d2448d3794ae3f29678a7337473d259b5cfd1c7f703fe53ee6c84dd10a48ef"
strings:
$s1 = "strMsg = \"E : F\"" fullword ascii
$s2 = "strMsg = \"S : \" & Len(fileData)" fullword ascii
$s3 = "Left(workDir, InStrRev(workDir, \"/\")) & \"video\""
$a1 = "Server.CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
$a2 = "Dim tmpPath, workDir" fullword ascii
$a3 = "Dim objFSO, objTextStream" fullword ascii
$a4 = "workDir = Request.ServerVariables(\"URL\")" fullword ascii
$a5 = "InStrRev(workDir, \"/\")" ascii
}
$g1 = "WriteFile = 0" fullword ascii
$g2 = "fileData = Request.Form(\"fp\")" fullword ascii
$g3 = "fileName = Request.Form(\"fr\")" fullword ascii
$g4 = "Err.Clear()" fullword ascii
$g5 = "Option Explicit" fullword ascii
condition:
filesize < 2KB and (( 1 of ($s*) ) or (3 of ($a*)) or (5 of ($g*)))
© 2020 HvS-Consulting AG
TLP-White
page 25 of 27
rule HvS_APT37_webshell_template_query_asp {
meta:
description = " Webshell named template-query.aspimg.asp used by APT37"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Moritz Oettle"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "961a66d01c86fa5982e0538215b17fb9fae2991331dfea812b8c031e2ceb0d90"
strings:
$g1 = "server.scripttimeout=600" fullword ascii
$g2 = "response.buffer=true" fullword ascii
$g3 = "response.expires=-1" fullword ascii
$g4 = "session.timeout=600" fullword ascii
$a1 = "redhat hacker" ascii
$a2 = "want_pre.asp" ascii
$a3 = "vgo=\"admin\"" ascii
$a4 = "ywc=false" ascii
}