Infostealer malware linked to Lazarus Group campaigns
Contents
Infostealer malware linked to Lazarus Group campaigns
These days I've been analyzing a highly malicious Python script containing heavily encoded Base64 strings and compressed using ZLIB. The script was cloned from a malicious Git repository, but its delivery method piqued my curiosity.
The Analysis
The code was designed to execute multiple repetition processes, where each obfuscation stage pointed to the previous one until the loop was completed, ultimately decrypting and revealing the actual malware code.
_ = lambda __ : import('zlib').decompress(import('base64').b64decode(__[::-1]));exec((_)
- The code uses a lambda function (
_
): - It reverses the provided string (
[::-1]
). - Decodes the string using Base64 (
base64.b64decode
). - Decompresses the result with zlib (
zlib.decompress
). - The final output of the lambda function is passed to
exec()
, which executes the reconstructed Python code.
Obfuscated scripts commonly use methods such as:
- Base64 encoding
- Compression (
zlib
,gzip
) - String decoding
The action plan was to identify the final code with readable text by decoding and decompressing …
These days I've been analyzing a highly malicious Python script containing heavily encoded Base64 strings and compressed using ZLIB. The script was cloned from a malicious Git repository, but its delivery method piqued my curiosity.
The Analysis
The code was designed to execute multiple repetition processes, where each obfuscation stage pointed to the previous one until the loop was completed, ultimately decrypting and revealing the actual malware code.
_ = lambda __ : import('zlib').decompress(import('base64').b64decode(__[::-1]));exec((_)
- The code uses a lambda function (
_
): - It reverses the provided string (
[::-1]
). - Decodes the string using Base64 (
base64.b64decode
). - Decompresses the result with zlib (
zlib.decompress
). - The final output of the lambda function is passed to
exec()
, which executes the reconstructed Python code.
Obfuscated scripts commonly use methods such as:
- Base64 encoding
- Compression (
zlib
,gzip
) - String decoding
The action plan was to identify the final code with readable text by decoding and decompressing …
IoC
http://5.253.43.122:1224
http://41.208.185.235
http://95.164.7.171:8637
http://91.92.120.132:80
95.164.7.171
5.253.43.122
91.92.120.132
41.208.185.235
http://41.208.185.235
http://95.164.7.171:8637
http://91.92.120.132:80
95.164.7.171
5.253.43.122
91.92.120.132
41.208.185.235