Hunting Lazarus: Expanding Indicators with Historic DNS
Contents
How to use Validin's DNS history and host responses to track the Lazarus Group APT
Introduction
Lazarus Group (APT38) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau that has been active since 2009 and is widely thought to be responsible for the Sony Pictures Entertainment cyber-attack in 2014. Lazarus Group uses phishing and impersonation tactics to deceive its victims and is known for using meeting-themed domain names in its phishing attempts.
In this post, we will demonstrate how to use historic DNS with detailed annotations to expand from known indicators to discover current and recent domain names and IP addresses associated with Lazarus Group with high confidence.
Starting Point
This search begins with this Tweet by Michael Koczwara, highlighting a familiar tactic by Lazarus Group:
Weâll start by searching for the reported domain in Validin:
We note a few things:
- Validin highlights the association of this domain with …
Introduction
Lazarus Group (APT38) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau that has been active since 2009 and is widely thought to be responsible for the Sony Pictures Entertainment cyber-attack in 2014. Lazarus Group uses phishing and impersonation tactics to deceive its victims and is known for using meeting-themed domain names in its phishing attempts.
In this post, we will demonstrate how to use historic DNS with detailed annotations to expand from known indicators to discover current and recent domain names and IP addresses associated with Lazarus Group with high confidence.
Starting Point
This search begins with this Tweet by Michael Koczwara, highlighting a familiar tactic by Lazarus Group:
Weâll start by searching for the reported domain in Validin:
We note a few things:
- Validin highlights the association of this domain with …
IoC
104.168.137.21
104.168.157.45
104.168.165.165
104.168.165.173
104.168.165.203
104.168.203.159
104.168.203.161
108.174.194.10
8edc64bd3deaa4397af5453aee893fa6704dfabf
http://104.168.137.21
http://104.168.157.45
http://104.168.165.165
http://104.168.165.173
http://104.168.165.203
http://104.168.203.159
http://104.168.203.161
http://108.174.194.10
http://Emv1.roomconnect.online
http://alwayswait.online
http://alwayswelcome.online
http://docsend.online
http://docsend.site
http://docsend.store
http://dropfile.cloud
http://dropfile.online
http://general-meet.online
http://general-meet.site
http://general-meet.team
http://group-meet.online
http://group-meet.site
http://group-meet.team
http://instant-patch.online
http://internal-meet.online
http://internal-meet.team
http://internal-meet.xyz
http://live-meeting.world
http://meeting-central.online
http://meeting-hub.online
http://meeting-pro.online
http://online-meeting.community
http://online-meeting.social
http://qjhndbrw.roomconnect.online
http://regular-meet.online
http://regular-meet.site
http://regular-meet.team
http://roomconnect.online
http://trustmeeting.live
http://trustmeeting.online
http://ubi-safemeeting.online
http://video-meet.site
http://virtual-collab.online
http://www.emv1.roomconnect.online
http://www.internal-meet.xyz
http://www.online-meeting.community
http://www.qjhndbrw.roomconnect.online
http://www.roomconnect.online
104.168.157.45
104.168.165.165
104.168.165.173
104.168.165.203
104.168.203.159
104.168.203.161
108.174.194.10
8edc64bd3deaa4397af5453aee893fa6704dfabf
http://104.168.137.21
http://104.168.157.45
http://104.168.165.165
http://104.168.165.173
http://104.168.165.203
http://104.168.203.159
http://104.168.203.161
http://108.174.194.10
http://Emv1.roomconnect.online
http://alwayswait.online
http://alwayswelcome.online
http://docsend.online
http://docsend.site
http://docsend.store
http://dropfile.cloud
http://dropfile.online
http://general-meet.online
http://general-meet.site
http://general-meet.team
http://group-meet.online
http://group-meet.site
http://group-meet.team
http://instant-patch.online
http://internal-meet.online
http://internal-meet.team
http://internal-meet.xyz
http://live-meeting.world
http://meeting-central.online
http://meeting-hub.online
http://meeting-pro.online
http://online-meeting.community
http://online-meeting.social
http://qjhndbrw.roomconnect.online
http://regular-meet.online
http://regular-meet.site
http://regular-meet.team
http://roomconnect.online
http://trustmeeting.live
http://trustmeeting.online
http://ubi-safemeeting.online
http://video-meet.site
http://virtual-collab.online
http://www.emv1.roomconnect.online
http://www.internal-meet.xyz
http://www.online-meeting.community
http://www.qjhndbrw.roomconnect.online
http://www.roomconnect.online