In depth analysis of Lazarus validator
Contents
In depth analysis of Lazarus validator
Intro
Few days ago we found interesting Word document impersonating Lockheed Martin1. Some time later we realized that this sample was a part of larger and older campaign conducted probably against various military contractor conducting businesses with South Korea and that this campaign was already described, however w couldn’t find any in depth analysis of a validator used by Lazarus so here it is.
Infection vector
There is already a very good analysis done by StrangerealIntel, including an intelligence brief explaining potential reason for this campaign, so we wont into much details here. Whole infection vector can be summarized by flowing picture.
This script can be used to extract files embedded into DOC file as well as key and dll name. It is important to notice that beside two dll’s malicious document also contains another DOC file with a rest of a lure document so target is presented with …
Intro
Few days ago we found interesting Word document impersonating Lockheed Martin1. Some time later we realized that this sample was a part of larger and older campaign conducted probably against various military contractor conducting businesses with South Korea and that this campaign was already described, however w couldn’t find any in depth analysis of a validator used by Lazarus so here it is.
Infection vector
There is already a very good analysis done by StrangerealIntel, including an intelligence brief explaining potential reason for this campaign, so we wont into much details here. Whole infection vector can be summarized by flowing picture.
This script can be used to extract files embedded into DOC file as well as key and dll name. It is important to notice that beside two dll’s malicious document also contains another DOC file with a rest of a lure document so target is presented with …
IoC
0071b20d27a24ae1e474145b8efc9718
074c02f7f5badd5c94d840c1e2ae9f72
075fba0c098d86d9f22b8ea8c3033207
0f0b242fb5d73d08b856bc43432b350000000000000000000000000000000000
1076b25d5fa5cccdddcaf3f788789ae3c4ea9b034066693b6a0560af129ceda6
11fdc0be9d85b4ff1faf5ca33cc272ed
141931bf718c5c4d3931f64b04e2112b65a6bcd46c0092300ff6824b573f8b36
14d79cd918b4f610c1a6d43cadeeff7b
1b0c82e71a53300c969da61b085c8ce623202722cf3fa2d79160dac16642303f
1bd0ca304cdecfa3bd4342b261285a72
1f254dd0b85edd7e11339681979e3ad6
21515fd6e6eb994defb589b4d0d9d956f7b4cb07823aaec501134ab063d883e9
223e954fd67c6cf75c3a6f987b94784b
23d73fc8f10588944d8dc2073ce6af6d159943f11ac0c140c9b2e67fb0ad8b89
25b37c971fd7e9e50e45691aa86e5f0a
2627b7c827404ee49271bfc6bb152e52cf28e35c4bef1ad256018c5c08daea21
265f407a157ab0ed017dd18cae0352ae
26a2fa7b45a455c311fd57875d8231c853ea4399be7b9344f2136030b2edc4aa
2b02465b65024336a9e15d7f34c1f5d9
2efbe6901fc3f479bc32aaf13ce8cf12
37a3c01bb5eaf7ecbcfbfde1aab848956d782bb84445384c961edebe8d0e9969
3aa8eddf26f5944a24dfeb57c9f49a17
3c5c1a7e7efe4eee3b7650167c664f730f40923a38c3e6640cbb2a4bfe9f64c6
454734dca530d54c4e8f543bdd33b5eb4b50f3039a953b54281dc67a09af4ca6
48b8486979973656a15ca902b7bb973ee5cde9a59e2f3da53c86102d48d7dad8
59cb8474930ae7ea45b626443e01b66d
59fab92d51c50467c1356080e6a5dead
6590f66d6afe155b1109e81e2c36ece73236223ab17ae1a1c77a027be9f7d400
65df11dea0c1d0f0304b376787e65ccb
66e5371c3da7dc9a80fb4c0fabfa23a30d82650c434eec86a95b6e239eccab88
69e50a20ea6be94e4336ba8cea3c438e8ce7c4aab66ce1baf26bc3a77200fb27
7228705813d5bc6c6a62fc53ac019344
78d42cedb0c012c62ef5be620c200d43
7b5089c2bea3ec4aa98c5cdf69dac21500000000000000000000000000000000
7f39a52fc6a51b5dd3830064c63f9d4900000000000000000000000000000000
7fdfc719935d938651f45aafef3cd2ecc0020e9b77ac0780edb3ba585c16c9e2
805183c19f4bffca871fb344247bd5d31357480c536c052c8b7c4109f507f3ef
8fc7b0764541225e5505fa93a7376df4
92657b98c2b4ee4e8fa1b83921003c74
a769b39d0c80d1a035dd51efa28b09221cbb6c912def95a57c8910455e333756
a8647a04563b746b1d8d4cdd67616cb646a3f6766d9c2d447541b9dc26452d8b
b493f37ee0fddb1d832ddacaaf417029
b76b6bbda8703fa801898f843692ec1968e4b0c90dfae9764404c1a54abf650b
bff4d04caeaf8472283906765df34421d657bd631f5562c902e82a3a0177d114
c0a8483b836efdbae190cc069129d5c3
cb38822697af45210d2759889c2eb2bf00000000000000000000000000000000
cd5357d1045948ba62710ad8128ae282
cf44576adcfc51a062457398797f99e85b504a70208938180639c2e0cde7ca95
d1c652b4192857cb08907f0ba1790976
d79bfa19e4d32692030d15c2767beb8cd88dc552d51245c88f42edd5129326f0
d7ef8935437d61c975feb2bd826d018373df099047c33ad7305585774a272625
ec254c40abff00b104a949f07b7b64235fc395ecb9311eb4020c1c4da0e6b5c4
f3e4947e32c6b1d0303b342a74426d4de0ad2de8d2bfb83f0003a1ebc650b7a7
f4b55da7870e9ecd5f3f565f40490996
f6d6f3580160cd29b285edf7d0c647ce
http://www.astedams.it/include/inc-elenco-offerter.asp
http://www.elite4print.com/admin/order/batchPdfs.asp
https://blog.malwarelab.pl/posts/lazarus_validator/
https://www.astedams.it/uploads/frame/61.dotm
https://www.astedams.it/uploads/template/17.dotm
https://www.curiofirenze.com/newsl/include/inc-map.asp
https://www.sanlorenzoyacht.com/newsl/uploads/docs/1.dotm
https://www.sanlorenzoyacht.com/newsl/uploads/docs/43.dotm
[email protected]
rule apt_NK_Lazarus_DllImplat_cfg_decoder { meta: reference = "https://blog.malwarelab.pl/posts/lazarus_validator/" hash = "bff4d04caeaf8472283906765df34421d657bd631f5562c902e82a3a0177d114" hash = "26a2fa7b45a455c311fd57875d8231c853ea4399be7b9344f2136030b2edc4aa" author = "Maciej Kotowicz, [email protected]" copyright = "MalwareLab.pl" date = "2020-05-18" strings: $c0 = { 6A 15 59 8B F2 8D 7C 24 ?? F3 A5 8B ?? 24 ?? 83 E? 0F 6A 10 58 2B C? F7 D? 1B ?? 23 ?? 03 } $c1 = { B9 15 00 00 00 8B F2 8D 7C 24 ?? F3 A5 8B ?? 24 ?? [2] 83 E? 0F } condition: uint16(0) == 0x5a4d and any of them }
rule apt_NK_Lazarus_DllImplat_cmd_line { meta: reference = "https://blog.malwarelab.pl/posts/lazarus_validator/" hash = "141931bf718c5c4d3931f64b04e2112b65a6bcd46c0092300ff6824b573f8b36" hash = "b76b6bbda8703fa801898f843692ec1968e4b0c90dfae9764404c1a54abf650b" hash = "37a3c01bb5eaf7ecbcfbfde1aab848956d782bb84445384c961edebe8d0e9969" hash = "bff4d04caeaf8472283906765df34421d657bd631f5562c902e82a3a0177d114" hash = "a8647a04563b746b1d8d4cdd67616cb646a3f6766d9c2d447541b9dc26452d8b" hash = "bff4d04caeaf8472283906765df34421d657bd631f5562c902e82a3a0177d114" hash = "48b8486979973656a15ca902b7bb973ee5cde9a59e2f3da53c86102d48d7dad8" hash = "21515fd6e6eb994defb589b4d0d9d956f7b4cb07823aaec501134ab063d883e9" hash = "26a2fa7b45a455c311fd57875d8231c853ea4399be7b9344f2136030b2edc4aa" author = "Maciej Kotowicz, [email protected]" copyright = "MalwareLab.pl" date = "2020-05-18" strings: $s0 = " %s 0 0 %s 1" $s1 = / %s 0 0 [0-9]+ 1/ condition: any of them and filesize <2MB }
074c02f7f5badd5c94d840c1e2ae9f72
075fba0c098d86d9f22b8ea8c3033207
0f0b242fb5d73d08b856bc43432b350000000000000000000000000000000000
1076b25d5fa5cccdddcaf3f788789ae3c4ea9b034066693b6a0560af129ceda6
11fdc0be9d85b4ff1faf5ca33cc272ed
141931bf718c5c4d3931f64b04e2112b65a6bcd46c0092300ff6824b573f8b36
14d79cd918b4f610c1a6d43cadeeff7b
1b0c82e71a53300c969da61b085c8ce623202722cf3fa2d79160dac16642303f
1bd0ca304cdecfa3bd4342b261285a72
1f254dd0b85edd7e11339681979e3ad6
21515fd6e6eb994defb589b4d0d9d956f7b4cb07823aaec501134ab063d883e9
223e954fd67c6cf75c3a6f987b94784b
23d73fc8f10588944d8dc2073ce6af6d159943f11ac0c140c9b2e67fb0ad8b89
25b37c971fd7e9e50e45691aa86e5f0a
2627b7c827404ee49271bfc6bb152e52cf28e35c4bef1ad256018c5c08daea21
265f407a157ab0ed017dd18cae0352ae
26a2fa7b45a455c311fd57875d8231c853ea4399be7b9344f2136030b2edc4aa
2b02465b65024336a9e15d7f34c1f5d9
2efbe6901fc3f479bc32aaf13ce8cf12
37a3c01bb5eaf7ecbcfbfde1aab848956d782bb84445384c961edebe8d0e9969
3aa8eddf26f5944a24dfeb57c9f49a17
3c5c1a7e7efe4eee3b7650167c664f730f40923a38c3e6640cbb2a4bfe9f64c6
454734dca530d54c4e8f543bdd33b5eb4b50f3039a953b54281dc67a09af4ca6
48b8486979973656a15ca902b7bb973ee5cde9a59e2f3da53c86102d48d7dad8
59cb8474930ae7ea45b626443e01b66d
59fab92d51c50467c1356080e6a5dead
6590f66d6afe155b1109e81e2c36ece73236223ab17ae1a1c77a027be9f7d400
65df11dea0c1d0f0304b376787e65ccb
66e5371c3da7dc9a80fb4c0fabfa23a30d82650c434eec86a95b6e239eccab88
69e50a20ea6be94e4336ba8cea3c438e8ce7c4aab66ce1baf26bc3a77200fb27
7228705813d5bc6c6a62fc53ac019344
78d42cedb0c012c62ef5be620c200d43
7b5089c2bea3ec4aa98c5cdf69dac21500000000000000000000000000000000
7f39a52fc6a51b5dd3830064c63f9d4900000000000000000000000000000000
7fdfc719935d938651f45aafef3cd2ecc0020e9b77ac0780edb3ba585c16c9e2
805183c19f4bffca871fb344247bd5d31357480c536c052c8b7c4109f507f3ef
8fc7b0764541225e5505fa93a7376df4
92657b98c2b4ee4e8fa1b83921003c74
a769b39d0c80d1a035dd51efa28b09221cbb6c912def95a57c8910455e333756
a8647a04563b746b1d8d4cdd67616cb646a3f6766d9c2d447541b9dc26452d8b
b493f37ee0fddb1d832ddacaaf417029
b76b6bbda8703fa801898f843692ec1968e4b0c90dfae9764404c1a54abf650b
bff4d04caeaf8472283906765df34421d657bd631f5562c902e82a3a0177d114
c0a8483b836efdbae190cc069129d5c3
cb38822697af45210d2759889c2eb2bf00000000000000000000000000000000
cd5357d1045948ba62710ad8128ae282
cf44576adcfc51a062457398797f99e85b504a70208938180639c2e0cde7ca95
d1c652b4192857cb08907f0ba1790976
d79bfa19e4d32692030d15c2767beb8cd88dc552d51245c88f42edd5129326f0
d7ef8935437d61c975feb2bd826d018373df099047c33ad7305585774a272625
ec254c40abff00b104a949f07b7b64235fc395ecb9311eb4020c1c4da0e6b5c4
f3e4947e32c6b1d0303b342a74426d4de0ad2de8d2bfb83f0003a1ebc650b7a7
f4b55da7870e9ecd5f3f565f40490996
f6d6f3580160cd29b285edf7d0c647ce
http://www.astedams.it/include/inc-elenco-offerter.asp
http://www.elite4print.com/admin/order/batchPdfs.asp
https://blog.malwarelab.pl/posts/lazarus_validator/
https://www.astedams.it/uploads/frame/61.dotm
https://www.astedams.it/uploads/template/17.dotm
https://www.curiofirenze.com/newsl/include/inc-map.asp
https://www.sanlorenzoyacht.com/newsl/uploads/docs/1.dotm
https://www.sanlorenzoyacht.com/newsl/uploads/docs/43.dotm
[email protected]
rule apt_NK_Lazarus_DllImplat_cfg_decoder { meta: reference = "https://blog.malwarelab.pl/posts/lazarus_validator/" hash = "bff4d04caeaf8472283906765df34421d657bd631f5562c902e82a3a0177d114" hash = "26a2fa7b45a455c311fd57875d8231c853ea4399be7b9344f2136030b2edc4aa" author = "Maciej Kotowicz, [email protected]" copyright = "MalwareLab.pl" date = "2020-05-18" strings: $c0 = { 6A 15 59 8B F2 8D 7C 24 ?? F3 A5 8B ?? 24 ?? 83 E? 0F 6A 10 58 2B C? F7 D? 1B ?? 23 ?? 03 } $c1 = { B9 15 00 00 00 8B F2 8D 7C 24 ?? F3 A5 8B ?? 24 ?? [2] 83 E? 0F } condition: uint16(0) == 0x5a4d and any of them }
rule apt_NK_Lazarus_DllImplat_cmd_line { meta: reference = "https://blog.malwarelab.pl/posts/lazarus_validator/" hash = "141931bf718c5c4d3931f64b04e2112b65a6bcd46c0092300ff6824b573f8b36" hash = "b76b6bbda8703fa801898f843692ec1968e4b0c90dfae9764404c1a54abf650b" hash = "37a3c01bb5eaf7ecbcfbfde1aab848956d782bb84445384c961edebe8d0e9969" hash = "bff4d04caeaf8472283906765df34421d657bd631f5562c902e82a3a0177d114" hash = "a8647a04563b746b1d8d4cdd67616cb646a3f6766d9c2d447541b9dc26452d8b" hash = "bff4d04caeaf8472283906765df34421d657bd631f5562c902e82a3a0177d114" hash = "48b8486979973656a15ca902b7bb973ee5cde9a59e2f3da53c86102d48d7dad8" hash = "21515fd6e6eb994defb589b4d0d9d956f7b4cb07823aaec501134ab063d883e9" hash = "26a2fa7b45a455c311fd57875d8231c853ea4399be7b9344f2136030b2edc4aa" author = "Maciej Kotowicz, [email protected]" copyright = "MalwareLab.pl" date = "2020-05-18" strings: $s0 = " %s 0 0 %s 1" $s1 = / %s 0 0 [0-9]+ 1/ condition: any of them and filesize <2MB }