Is Lazarus/APT38 Targeting Critical Infrastructures ?
Contents
Introduction
During the past few days a cyber attack hit Kudankulam Nuclear Power Plant: the largest nuclear power plant located in the Indian state of Tamil Nadu. The news was announced on Monday October 28 by the Indian strategic infrastructure. In a press release on arstechnica, NPCIL Associate Director A. K. Nema stated, “Identification of malware in NPCIL system is correct. The matter was conveyed by CERT-In [India’s national computer emergency response team] when it was noticed by them on September 4, 2019.”
On October 28 at 2.37PM twitter user @a_tweeter_user posted a Virus Total link claiming it was the Malware employee during the KKNPP (Kudankulam Nuclear Power Plant) cyber attack. When I saw that link, I ‘ve been so fascinated about that cyber attack, that I decided to take a closer look to such a Malware in order to better understand what it is and who could be behind such a …
During the past few days a cyber attack hit Kudankulam Nuclear Power Plant: the largest nuclear power plant located in the Indian state of Tamil Nadu. The news was announced on Monday October 28 by the Indian strategic infrastructure. In a press release on arstechnica, NPCIL Associate Director A. K. Nema stated, “Identification of malware in NPCIL system is correct. The matter was conveyed by CERT-In [India’s national computer emergency response team] when it was noticed by them on September 4, 2019.”
On October 28 at 2.37PM twitter user @a_tweeter_user posted a Virus Total link claiming it was the Malware employee during the KKNPP (Kudankulam Nuclear Power Plant) cyber attack. When I saw that link, I ‘ve been so fascinated about that cyber attack, that I decided to take a closer look to such a Malware in order to better understand what it is and who could be behind such a …
IoC
192.168.56.2
3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682
75171549224b4292974d6ee3cf397db8
93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9
a0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68
bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364
c5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c
rule lazarus_dtrack { meta: description = "lazarus - dtrack on nuclear implant KKNPP" date = "2019-11-02" hash1 = "bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364" strings: $x1 = "move /y %s \\\\10.38.1.35\\C$\\Windows\\Temp\\MpLogs\\" fullword ascii $x2 = "Execute_%s.log" fullword ascii $x3 = "%s\\%s\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" fullword ascii $s4 = "CCS_/c ping -n 3 127.0.0.1 >NUL & echo EEEE > \"%s\"" fullword ascii $s5 = "%s\\%s\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" fullword ascii $s6 = "Usage: .system COMMAND" fullword ascii $s7 = "Usage: .dump ?--preserve-rowids? ?--newlines? ?LIKE-PATTERN?" fullword ascii $s8 = "CCS_shell32.dll" fullword ascii $s9 = "%s:%d: expected %d columns but found %d - filling the rest with NULL" fullword ascii $s10 = "%s:%d: expected %d columns but found %d - extras ignored" fullword ascii $s11 = "%s\\%s\\AppData\\Application Data\\Mozilla\\Firefox\\Profiles" fullword ascii $s12 = "net use \\\\10.38.1.35\\C$ su.controller5kk /user:KKNPP\\administrator" fullword ascii $s13 = "VALUES(0,'memo','Missing SELFTEST table - default checks only',''), (1,'run','PRAGMA integrity_check','ok')" fullword ascii $s14 = "CCS_Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" fullword ascii $s15 = "Usage %s sub-command ?switches...?" fullword ascii $s16 = "Usage: .log FILENAME" fullword ascii $s17 = "Content-Disposition: form-data; name=\"result\"; filename=\"%s.bmp\"" fullword ascii $s18 = "%z%sSELECT pti.name FROM \"%w\".sqlite_master AS sm JOIN pragma_table_info(sm.name,%Q) AS pti WHERE sm.type='table'" fullword ascii $s19 = "CCS_kernel32.dll" fullword ascii $s20 = "CCS_Advapi32.dll" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2000KB and ( pe.imphash() == "75171549224b4292974d6ee3cf397db8" or ( 1 of ($x*) or 4 of them ) ) }
3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682
75171549224b4292974d6ee3cf397db8
93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9
a0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68
bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364
c5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c
rule lazarus_dtrack { meta: description = "lazarus - dtrack on nuclear implant KKNPP" date = "2019-11-02" hash1 = "bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364" strings: $x1 = "move /y %s \\\\10.38.1.35\\C$\\Windows\\Temp\\MpLogs\\" fullword ascii $x2 = "Execute_%s.log" fullword ascii $x3 = "%s\\%s\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" fullword ascii $s4 = "CCS_/c ping -n 3 127.0.0.1 >NUL & echo EEEE > \"%s\"" fullword ascii $s5 = "%s\\%s\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" fullword ascii $s6 = "Usage: .system COMMAND" fullword ascii $s7 = "Usage: .dump ?--preserve-rowids? ?--newlines? ?LIKE-PATTERN?" fullword ascii $s8 = "CCS_shell32.dll" fullword ascii $s9 = "%s:%d: expected %d columns but found %d - filling the rest with NULL" fullword ascii $s10 = "%s:%d: expected %d columns but found %d - extras ignored" fullword ascii $s11 = "%s\\%s\\AppData\\Application Data\\Mozilla\\Firefox\\Profiles" fullword ascii $s12 = "net use \\\\10.38.1.35\\C$ su.controller5kk /user:KKNPP\\administrator" fullword ascii $s13 = "VALUES(0,'memo','Missing SELFTEST table - default checks only',''), (1,'run','PRAGMA integrity_check','ok')" fullword ascii $s14 = "CCS_Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" fullword ascii $s15 = "Usage %s sub-command ?switches...?" fullword ascii $s16 = "Usage: .log FILENAME" fullword ascii $s17 = "Content-Disposition: form-data; name=\"result\"; filename=\"%s.bmp\"" fullword ascii $s18 = "%z%sSELECT pti.name FROM \"%w\".sqlite_master AS sm JOIN pragma_table_info(sm.name,%Q) AS pti WHERE sm.type='table'" fullword ascii $s19 = "CCS_kernel32.dll" fullword ascii $s20 = "CCS_Advapi32.dll" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2000KB and ( pe.imphash() == "75171549224b4292974d6ee3cf397db8" or ( 1 of ($x*) or 4 of them ) ) }